How to use AI for security review on pull requests
A technically grounded workflow for AI-assisted security review: map trust boundaries, demand exploit paths, prioritize changed behavior, and keep deterministic security controls in place.
A technically grounded workflow for AI-assisted security review: map trust boundaries, demand exploit paths, prioritize changed behavior, and keep deterministic security controls in place.
Security review is an attractive use case for AI because security-sensitive behavior crosses files and frameworks, and specialist reviewers are scarce. It is also a dangerous place for confident speculation. A comment that says input may be unsanitized without tracing where the input originates, how it is transformed, and which sink consumes it creates work without establishing risk. AI can broaden attention, but the review must be organized around evidence.
Begin with the change surface. Identify new or modified entry points, authentication and authorization decisions, data stores, network calls, deserialization, file access, template rendering, secrets, and dependency boundaries. Then ask what trust relationship changed. A renamed variable is not a security event. Moving authorization after a write, allowing a user-controlled URL into a server-side fetch, or changing a tenant-scoped query may be.
A useful security finding names the untrusted source, follows the relevant transformations, identifies the sensitive sink or decision, states the missing control, and describes a plausible impact. It should also acknowledge controls visible in the diff or retrieved context. If a sanitization helper is called, the reviewer should inspect or retrieve its contract before claiming it is insufficient. If required context is unavailable, the finding should say so and lower confidence.
A hypothetical account takeover has high impact, but if the reviewer cannot establish that the path is reachable, confidence should be low. Conversely, a high-confidence information leak may have limited scope. Store both dimensions. Prioritize high-severity, high-confidence findings for inline review; retain lower-confidence hypotheses as run history or omit them according to policy. Combining both into one label encourages the model to overstate uncertain issues.
Repository-specific policy makes security review more useful. Tell the reviewer which authentication library is canonical, where authorization must occur, which query builders are permitted, how secrets are accessed, and which paths contain generated code. Prefer concise rules with examples over a generic secure-coding encyclopedia. The model already knows common vulnerability categories; it needs to know how this repository prevents them.
Secret scanning, dependency analysis, static analyzers, type systems, tests, and branch protection have repeatable strengths. Keep them. An AI security reviewer is better positioned to reason about intent, changed data flow, and mismatches between a project convention and a patch. It should not be the sole gate for a rule a deterministic tool can enforce. When the AI identifies a recurring pattern, consider turning that pattern into a test or analyzer rule.
Post AI security findings as advisory evidence by default. A human should decide whether the path is reachable, whether the affected asset matters, whether compensating controls exist, and whether the risk is accepted. Record the resolution reason so prompts and policies improve over time. The best outcome is not a long security report on every pull request; it is a small number of well-supported questions at the moment a security-relevant behavior changes.
Periodically replay a small internal set of known security fixes and clean sensitive changes through the configured reviewer. This checks whether model or prompt updates altered coverage or noise, but it is not a substitute for penetration testing or threat modeling. Use the results to calibrate roles and thresholds, then inspect live resolution reasons for repository-specific gaps that a historical sample cannot represent.
PR Quorum turns specialist reviewer output into one clean GitHub review, with noise controls and predictable usage caps.