Code Review Guide

AI Code Review

How to effectively review AI-generated code for security vulnerabilities. Practical techniques and checklists.

Automated Security Scan

Review Principles

Trust Nothing, Verify Everything

Treat AI-generated code like code from an untrusted junior developer. It may work, but it may also have subtle issues.

Focus on Security-Critical Paths

Prioritize reviewing authentication, authorization, data handling, and input validation over UI code.

Understand Before Accepting

Don't accept code you don't understand. If you can't explain what it does, you can't verify it's secure.

Check the Edges

AI often handles the happy path well but misses edge cases, error handling, and boundary conditions.

Security Review Checklist

Authentication

  • Are all protected routes checking authentication on the server?
  • Is session/token validation implemented correctly?
  • Are authentication errors handled without leaking information?
  • Is there protection against brute force attacks?

Authorization

  • Do all data access operations verify user ownership/permission?
  • Are role checks implemented on the server, not just the client?
  • Can users only modify their own resources?
  • Are admin functions properly restricted?

Data Handling

  • Is user input validated and sanitized?
  • Are database queries parameterized (no string concatenation)?
  • Is output properly encoded to prevent XSS?
  • Are sensitive fields excluded from API responses?

Secrets & Config

  • Are API keys and credentials in environment variables?
  • Are no secrets hardcoded, even 'for testing'?
  • Are client-side bundles free of server-side secrets?
  • Is .gitignore configured for sensitive files?

Error Handling

  • Do error messages avoid leaking implementation details?
  • Are errors logged server-side but sanitized for users?
  • Is there proper error boundary handling?
  • Do failed operations fail securely (deny by default)?

Red Flags to Watch For

eval(), exec(), or dynamic code execution

Can lead to code injection vulnerabilities

String concatenation in SQL/database queries

SQL/NoSQL injection risk

dangerouslySetInnerHTML or similar

Cross-site scripting (XSS) risk

Hardcoded strings that look like keys or passwords

Credential exposure risk

Client-side only access control

Authorization bypass risk

Disabled security features (CORS, CSRF, SSL)

Removes built-in protections

catch blocks that swallow errors silently

Hides potential security issues

User input used directly without validation

Multiple injection/abuse risks

Review Techniques

1
Trace Data Flow

Follow user input from entry point through processing to storage/output. Check for validation at each step.

Example: Form input → API handler → Database → Response
2
Check Permission Boundaries

For every data operation, ask: 'What stops user A from accessing user B's data?'

Example: getUserData(id) - does it verify the requesting user owns this id?
3
Verify Server-Side Enforcement

For any security check you find, verify it's enforced server-side, not just in the UI.

Example: If button is hidden for non-admins, is the API endpoint also admin-only?
4
Test Failure Modes

Consider what happens when things fail. Does the code fail open (insecure) or fail closed (secure)?

Example: If auth check throws error, does it grant or deny access?

Complement Manual Review with Scanning

Manual code review catches logic issues, but automated scanning finds patterns humans miss. Use both for comprehensive security coverage.

Get Starter Scan

Frequently Asked Questions

How long should I spend reviewing AI-generated code?

Spend proportionally more time on security-critical code. A quick glance is fine for UI styling, but authentication/authorization code needs careful line-by-line review. Budget at least 20-30% of your AI coding time for review.

Can I use AI to review AI-generated code?

Yes, AI can help with code review. Ask the AI to explain what the code does, identify potential security issues, or review against OWASP guidelines. However, don't rely solely on AI review—it may miss the same issues it introduced.

What's the most important thing to check?

Authorization. The most common and dangerous vulnerability in AI-generated code is missing or broken authorization. Always verify that users can only access their own data and that role checks happen server-side.

Should I review every line AI generates?

Review intensity should match risk. Critical paths (auth, data access, payments) need thorough review. Low-risk code (UI components, styling) can be reviewed more quickly. Always at least skim for obvious red flags.

How do I get better at security code review?

Practice with intentionally vulnerable code (like OWASP WebGoat), study common vulnerability patterns, learn from real breach postmortems, and use checklists until security thinking becomes automatic.

Related Resources

AI Code Generation SecuritySecurity ChecklistOWASP Top 10 GuideAI Code Risks

Last updated: January 16, 2026