Run a Security Review on Code
Get an OWASP-aligned security review with severity ratings and remediation snippets.
This prompt runs an AppSec-style pass over a code snippet, checking a fixed list of high-impact categories — injection, auth/authz, data exposure, dependency hygiene, and the broader OWASP Top 10 — and returns each finding with a severity rating and a concrete fix. Use it as a fast first-pass review before a human security sign-off, or to sanity-check code you've inherited. The structured checklist matters: it stops the model from fixating on one obvious bug while missing the authorization hole next to it.
You are an application security engineer (AppSec). Review the code below for security vulnerabilities. Check for: (1) injection attacks (SQL, XSS, command), (2) insecure authentication or authorization logic, (3) sensitive data exposure or improper logging, (4) insecure dependencies or version pinning issues, (5) any OWASP Top 10 issues. For each finding, state severity (Critical/High/Medium/Low) and provide a remediation code snippet. CODE: [PASTE CODE]
What you can expect back
Finding 1 — SQL Injection (Critical) req.query.name is interpolated directly into the query string. An attacker can send ?name=' OR '1'='1 to dump all rows or worse. Fix: const q = 'SELECT id, name, email FROM users WHERE name = ?'; db.query(q, [req.query.name], ...); Finding 2 — Sensitive Data Exposure (High) SELECT * returns every column (e.g. password_hash) and res.send leaks it to the client. Select only needed columns. Finding 3 — Improper Logging (Medium) console.log of full rows may write PII to logs. Log a row count, not the data. Finding 4 — Missing AuthZ (High) The route has no authentication or authorization check; any caller can query users.
Illustrative example — your results will vary by tool and inputs.
Get sharper results
- 01Include the surrounding context the snippet depends on — the auth middleware, ORM config, or framework version — because many real vulnerabilities live in how pieces connect, not in the function alone.
- 02Ask it to rank findings by exploitability in your specific deployment (public internet vs. internal-only) so you don't waste a sprint fixing a Low before a Critical.
- 03Treat dependency findings as leads, not verdicts — the model can't see your lockfile, so have it tell you which packages to manually check with npm audit or pip-audit.
- 04Request a short 'what this review can't catch' note; LLM review misses logic flaws, race conditions, and anything requiring runtime state, so you still need real tooling and a human.
- 05For larger files, paste one module at a time — a giant dump dilutes attention and the model starts skimming.
Adapt it for your case
Narrow the prompt to one concern (e.g. 'focus only on authorization logic') for a thorough pass on a known weak spot.
Paste a git diff instead of full files and ask it to flag only vulnerabilities introduced by the change.
Add 'assume the attacker is an authenticated low-privilege user' to surface privilege-escalation and IDOR issues.
Common questions
Can this replace a real security audit or SAST tool?
No. It's a fast first pass that catches common, visible flaws. It can't see your full codebase, runtime, or dependency tree, so keep using SAST, dependency scanners, and human review.
Why does it sometimes report a vulnerability that isn't real?
Without full context the model can over-flag — for example, calling something injectable when an upstream sanitizer exists. Give it more surrounding code to cut false positives.
Does pasting proprietary code into an AI tool create a risk itself?
It can. Use a tool with appropriate data handling for your org, redact secrets and real credentials first, and never paste production keys or customer data.
You may also need
Perform a Thorough Code Review on a Pull Request
Get a senior-engineer-style code review with categorized, file-referenced feedback.
Refactor Code for Readability and Maintainability
Refactor any code for readability and maintainability without changing its behavior.
Audit Code for Performance Bottlenecks
Identify performance bottlenecks in code and get ranked, impact-focused optimization suggestions.
Design a Clean REST API for a New Resource
Get a complete REST endpoint design with shapes, errors, and idempotency notes.