Core Workflow

Read the PR diff — load all changed files and understand the scope
Research repository context — identify existing security frameworks, sanitization patterns, and the project's threat model
Comparative analysis — compare new changes against existing secure patterns; flag deviations and new attack surfaces
Vulnerability assessment — examine each modified file for security implications, tracing data flow from user inputs to sensitive operations
Filter false positives — apply the exclusion list below; only report findings with confidence ≥ 0.8
Output markdown report — file, line number, severity, category, description, exploit scenario, and fix recommendation

Security Categories to Examine

Input Validation — SQL injection, command injection, XXE, template injection, NoSQL injection, path traversal
Authentication & Authorization — auth bypass, privilege escalation, session flaws, JWT vulnerabilities, authorization bypasses
Crypto & Secrets — hardcoded keys, weak algorithms, improper key storage, randomness issues, certificate validation bypasses
Injection & Code Execution — RCE via deserialization, pickle injection, YAML deserialization, eval injection, XSS
Data Exposure — sensitive data logging, PII violations, API endpoint leakage, debug information exposure