Skip to content
← All posts
Engineering2026-07-13 · 9 min read

How to use AI for security review on pull requests

A technically grounded workflow for AI-assisted security review: map trust boundaries, demand exploit paths, prioritize changed behavior, and keep deterministic security controls in place.

By PR Quorum team

Security review is an attractive use case for AI because security-sensitive behavior crosses files and frameworks, and specialist reviewers are scarce. It is also a dangerous place for confident speculation. A comment that says input may be unsanitized without tracing where the input originates, how it is transformed, and which sink consumes it creates work without establishing risk. AI can broaden attention, but the review must be organized around evidence.

Begin with the change surface. Identify new or modified entry points, authentication and authorization decisions, data stores, network calls, deserialization, file access, template rendering, secrets, and dependency boundaries. Then ask what trust relationship changed. A renamed variable is not a security event. Moving authorization after a write, allowing a user-controlled URL into a server-side fetch, or changing a tenant-scoped query may be.

Require a source-to-sink argument

A useful security finding names the untrusted source, follows the relevant transformations, identifies the sensitive sink or decision, states the missing control, and describes a plausible impact. It should also acknowledge controls visible in the diff or retrieved context. If a sanitization helper is called, the reviewer should inspect or retrieve its contract before claiming it is insufficient. If required context is unavailable, the finding should say so and lower confidence.

  • Authorization: can the changed path act on a resource without checking the current principal and tenant?
  • Injection: can untrusted data reach SQL, shell, template, path, or interpreter semantics?
  • Request boundaries: can user-controlled destinations, headers, or redirects cross a network trust boundary?
  • Secrets and privacy: does the change expose credentials, tokens, personal data, or sensitive logs?
  • State integrity: can concurrency, replay, or partial failure violate a security-relevant invariant?

Keep severity and confidence independent

A hypothetical account takeover has high impact, but if the reviewer cannot establish that the path is reachable, confidence should be low. Conversely, a high-confidence information leak may have limited scope. Store both dimensions. Prioritize high-severity, high-confidence findings for inline review; retain lower-confidence hypotheses as run history or omit them according to policy. Combining both into one label encourages the model to overstate uncertain issues.

Repository-specific policy makes security review more useful. Tell the reviewer which authentication library is canonical, where authorization must occur, which query builders are permitted, how secrets are accessed, and which paths contain generated code. Prefer concise rules with examples over a generic secure-coding encyclopedia. The model already knows common vulnerability categories; it needs to know how this repository prevents them.

Do not replace deterministic controls

Secret scanning, dependency analysis, static analyzers, type systems, tests, and branch protection have repeatable strengths. Keep them. An AI security reviewer is better positioned to reason about intent, changed data flow, and mismatches between a project convention and a patch. It should not be the sole gate for a rule a deterministic tool can enforce. When the AI identifies a recurring pattern, consider turning that pattern into a test or analyzer rule.

Use humans for the threat decision

Post AI security findings as advisory evidence by default. A human should decide whether the path is reachable, whether the affected asset matters, whether compensating controls exist, and whether the risk is accepted. Record the resolution reason so prompts and policies improve over time. The best outcome is not a long security report on every pull request; it is a small number of well-supported questions at the moment a security-relevant behavior changes.

Periodically replay a small internal set of known security fixes and clean sensitive changes through the configured reviewer. This checks whether model or prompt updates altered coverage or noise, but it is not a substitute for penetration testing or threat modeling. Use the results to calibrate roles and thresholds, then inspect live resolution reasons for repository-specific gaps that a historical sample cannot represent.

Try the reviewer panel on your next PR.

PR Quorum turns specialist reviewer output into one clean GitHub review, with noise controls and predictable usage caps.