Security

Security-focusedAI code review

Catch injection risks, auth gaps, and unsafe defaults in the diff before merge. CodeCritic reasons about context linters miss: trust boundaries, data exposure, and common vulnerability patterns across stacks.

OWASP-style patternssecrets hygieneauth flowsinput validationseverity tiers
How it works

Context beyond regex

A raw SQL string in one file and missing authorization in another may only look risky together. Review reads surrounding changes to flag likely exploit paths.

Severity you can enforce

Blocking items map to merge policy in CI. Should-fix and nit tiers keep security backlog visible without stopping every typo-level note.

Complements SAST

Static analyzers excel at known signatures. CodeCritic adds narrative findings for logic flaws and misconfigured guards that rule packs often skip.

Security review checklist in the diff

Each review pass looks for categories your security team would ask about in a manual read.

  • Authentication and authorization on new endpoints or UI routes.
  • Secrets, tokens, or credentials committed or logged.
  • User-controlled input reaching queries, shells, or file paths.
  • Crypto misuse, weak randomness, or disabled certificate validation.

Sample output

Example findings

Blocking

SQL built from request params

User input is concatenated into a query string. Parameterized queries or an ORM bound parameter removes injection risk.

Before

const q = "SELECT * FROM users WHERE email = '" + req.body.email + "'";

Suggested direction

const q = 'SELECT * FROM users WHERE email = $1';
await db.query(q, [req.body.email]);
Should fix

Missing auth on admin route

This handler mutates billing state but no session or role check appears in the changed lines or obvious middleware.

Before

app.post('/admin/refund', async (req, res) => {
  await billing.refund(req.body.orderId);
});

Illustrative patterns from real review categories. Your output depends on diff size, language, and context.

FAQ

Common questions

No. It accelerates day-to-day secure coding in PRs. Periodic pentests and dependency scanning remain part of a full program.

Shift security left on every change

Run a security-weighted review on your riskiest module and compare findings to your last manual audit sample.

Integrations