← IndexEntry № 028·coding

Run a Security Review on Code

Get an OWASP-aligned security review with severity ratings and remediation snippets.

Optimized for
ClaudeChatGPT
§ When to use this

This prompt runs an AppSec-style pass over a code snippet, checking a fixed list of high-impact categories — injection, auth/authz, data exposure, dependency hygiene, and the broader OWASP Top 10 — and returns each finding with a severity rating and a concrete fix. Use it as a fast first-pass review before a human security sign-off, or to sanity-check code you've inherited. The structured checklist matters: it stops the model from fixating on one obvious bug while missing the authorization hole next to it.

§ The Prompt— fill in the fields, then copy or open in a tool
§ Customize0/1 fields filled
your prompt — fill the fields above
You are an application security engineer (AppSec). Review the code below for security vulnerabilities. Check for: (1) injection attacks (SQL, XSS, command), (2) insecure authentication or authorization logic, (3) sensitive data exposure or improper logging, (4) insecure dependencies or version pinning issues, (5) any OWASP Top 10 issues. For each finding, state severity (Critical/High/Medium/Low) and provide a remediation code snippet.

CODE:
[PASTE CODE]
Open with your prompt →ChatGPTClaudeSends your filled-in prompt straight into a new chat.
§ Example Output

What you can expect back

Finding 1 — SQL Injection (Critical)
req.query.name is interpolated directly into the query string. An attacker can send ?name=' OR '1'='1 to dump all rows or worse.
Fix:
  const q = 'SELECT id, name, email FROM users WHERE name = ?';
  db.query(q, [req.query.name], ...);

Finding 2 — Sensitive Data Exposure (High)
SELECT * returns every column (e.g. password_hash) and res.send leaks it to the client. Select only needed columns.

Finding 3 — Improper Logging (Medium)
console.log of full rows may write PII to logs. Log a row count, not the data.

Finding 4 — Missing AuthZ (High)
The route has no authentication or authorization check; any caller can query users.

Illustrative example — your results will vary by tool and inputs.

§ Pro Tips

Get sharper results

  • 01Include the surrounding context the snippet depends on — the auth middleware, ORM config, or framework version — because many real vulnerabilities live in how pieces connect, not in the function alone.
  • 02Ask it to rank findings by exploitability in your specific deployment (public internet vs. internal-only) so you don't waste a sprint fixing a Low before a Critical.
  • 03Treat dependency findings as leads, not verdicts — the model can't see your lockfile, so have it tell you which packages to manually check with npm audit or pip-audit.
  • 04Request a short 'what this review can't catch' note; LLM review misses logic flaws, race conditions, and anything requiring runtime state, so you still need real tooling and a human.
  • 05For larger files, paste one module at a time — a giant dump dilutes attention and the model starts skimming.
§ Variations

Adapt it for your case

Single-category deep dive

Narrow the prompt to one concern (e.g. 'focus only on authorization logic') for a thorough pass on a known weak spot.

Diff review

Paste a git diff instead of full files and ask it to flag only vulnerabilities introduced by the change.

Threat-model framing

Add 'assume the attacker is an authenticated low-privilege user' to surface privilege-escalation and IDOR issues.

Best For — Roles
Use For — Tasks
Tags#security#appsec#code-review
§ FAQ

Common questions

Can this replace a real security audit or SAST tool?

No. It's a fast first pass that catches common, visible flaws. It can't see your full codebase, runtime, or dependency tree, so keep using SAST, dependency scanners, and human review.

Why does it sometimes report a vulnerability that isn't real?

Without full context the model can over-flag — for example, calling something injectable when an upstream sanitizer exists. Give it more surrounding code to cut false positives.

Does pasting proprietary code into an AI tool create a risk itself?

It can. Use a tool with appropriate data handling for your org, redact secrets and real credentials first, and never paste production keys or customer data.

§ Related Entries

You may also need