Catching Security Vulnerabilities in Pull Requests

Security flaws are among the most expensive bugs to fix after deployment. Here's how to catch them during code review, before they become incidents.

The Problem

Security vulnerabilities are uniquely dangerous because they often look like normal, working code. A SQL query that concatenates user input works perfectly in testing. An API endpoint that skips authorization still returns the right data. These issues pass functional tests, pass visual inspection, and ship to production where they become attack vectors.

The OWASP Foundation estimates that fixing a vulnerability in production costs 30x more than catching it during development. And the reputational damage from a breach is incalculable.

Common Vulnerabilities That Slip Through Review

1. SQL Injection

String concatenation or template literals in database queries allow attackers to execute arbitrary SQL. This is the most common and most dangerous vulnerability in web applications.

// Vulnerable - user input directly in query
const query = `SELECT * FROM users WHERE name = '${userInput}'`;

// Safe - parameterized query
const query = 'SELECT * FROM users WHERE name = $1';
const result = await db.query(query, [userInput]);

2. Cross-Site Scripting (XSS)

Rendering unsanitized user input as HTML lets attackers inject scripts that steal cookies, redirect users, or deface pages. Stored XSS is especially dangerous because it affects every user who views the page.

// Vulnerable - raw HTML insertion
element.innerHTML = userComment;

// Safe - use textContent or sanitize
element.textContent = userComment;

3. Broken Authentication

Missing authorization checks on API endpoints, hardcoded secrets, weak token generation, and improper session handling. These are easy to introduce when adding new endpoints by copying existing ones and forgetting the auth middleware.

4. Sensitive Data Exposure

Logging sensitive data, returning full database records (including password hashes) in API responses, committing API keys or credentials, and sending sensitive data over unencrypted channels.

5. Insecure Dependencies

Using outdated packages with known CVEs, or pulling in new dependencies without auditing their security posture. Supply chain attacks are on the rise.

Why Manual Review Isn't Enough

Even experienced reviewers miss security vulnerabilities for several reasons:

Context switching — Reviewers focus on logic and functionality, not adversarial thinking. Security requires a different mindset.
Volume — In a busy team, reviewers skim large PRs. A single vulnerable line in a 500-line diff is easy to overlook.
Knowledge gaps — Not every developer is a security expert. Junior developers may not recognize common vulnerability patterns.
Review fatigue — The 10th PR of the day gets less scrutiny than the first.

How to Overcome This Challenge

Build a security review checklist

Create a checklist your team uses on every PR that touches user input, database queries, authentication, or API endpoints. Include checks for:

All user inputs are validated and sanitized
Database queries use parameterized statements
API endpoints have proper authorization checks
No secrets or credentials in the code
Error messages don't leak internal details
Dependencies are up-to-date and audited

Shift security left with automated tools

Static analysis tools (SAST) can catch common patterns, but they generate noise. AI-powered code review tools like CodeSentri understand context, reducing false positives while catching subtle vulnerabilities that pattern matching misses.

Adopt a "security champion" role

Designate one developer per team as the security champion. They don't review every PR, but they're the go-to for security-sensitive changes and they keep the team's security knowledge current.

Automate what you can

The best security review is one that happens automatically on every PR, never gets tired, and catches the same vulnerability patterns consistently. This is where AI code review tools shine — they provide a security-focused second opinion on every change, instantly.

Catch vulnerabilities before they ship

CodeSentri reviews every pull request for SQL injection, XSS, auth issues, and OWASP Top 10 violations. Inline comments with severity levels and suggested fixes.

Install Free on GitHub