Secure Code Review Workflow
Use Code Security prompts to run a structured security-focused code review that catches vulnerabilities before they reach production.
When to Use
- Pull request review for security-sensitive code (authentication, payment processing, file handling, API endpoints)
- Pre-release security review of a new feature or service
- Periodic security audit of an existing codebase
- Onboarding a new codebase that lacks security review history
How It Works
Step 1: Identify Your Framework
Determine which framework the code under review uses. Each Code Security prompt targets a specific framework and encodes the relevant OWASP ASVS controls and CWE mitigations.
Step 2: Apply the Code Security Prompt
Set the matching prompt as the system prompt and feed in the code to review. The prompt enforces checks against:
- OWASP ASVS controls relevant to the framework
- CWE mitigations for common vulnerability classes
- Framework-specific security defaults (parameterized queries, CSRF protection, secure session handling)
Step 3: Review and Remediate
Review the LLM output for flagged issues, suggested fixes, and security patterns that should be present but are missing.
Worked Example: Node.js Express API Review
Scenario: A PR adds a new /api/upload endpoint to a Node.js Express application that accepts file uploads and stores metadata in PostgreSQL.
- Apply the Node.js Code Security prompt as the system prompt
- Feed in the PR diff or the relevant source files
- The prompt flags: path traversal risk in filename handling, missing file type validation, SQL string concatenation in metadata insert, no CSRF token on upload form
- Review output: 4 findings with specific remediation code for each
Related Pages
- Code Security Prompts — Framework-specific security prompts
- Integration: Claude Code — Using prompts with Claude Code for automated review
- Integration: GitHub Actions — CI/CD integration for automated security checks
- Architecture Overview — Trust boundaries and security invariants
Limitations
- LLM-based code review supplements but does not replace manual expert review, SAST tools, or DAST scanning.
- Monorepos with mixed languages may need multiple framework-specific passes.
- Security findings should be validated by a human reviewer before being treated as confirmed vulnerabilities.