rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity
Files
main
review-bot/SECURITY_REVIEW.md
T
Rodin 69e0a459c3
CI / test (pull_request) Successful in 14s
Details
CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 23s
Details
CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 58s
Details
CI / review (gpt-5, security, SECURITY_REVIEW.md, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m35s
Details
feat: sentinel-based review cleanup + system prompt file + security review 
Sentinel-based cleanup:
- Reviews embed <!-- review-bot:NAME --> in body (hidden HTML comment)
- Cleanup matches by sentinel, not token identity
- Each reviewer-name is a logical identity (sonnet, gpt, security)
- Same token can run multiple review types without conflict
- No extra API scopes needed

System prompt file (--system-prompt-file / SYSTEM_PROMPT_FILE):
- Loads a local file with additional review instructions
- Appended to system base as "Additional Review Instructions"
- Enables specialized reviews (security, performance, etc.)
- Partially addresses #5

Security review:
- SECURITY_REVIEW.md prompt focused on vulnerabilities
- 3rd CI matrix entry using same token, different prompt
- Focus: injection, auth, secrets, input validation, crypto, races

CI changes:
- REVIEWER_NAME passed from matrix.name
- SYSTEM_PROMPT_FILE passed from matrix (empty for standard reviews)
- 3 reviewers: sonnet (general), gpt (general), security (focused)
2026-05-01 20:55:09 -07:00

1.4 KiB
Raw Permalink Blame History

You are performing a security-focused code review. Your primary concern is identifying vulnerabilities, not general code quality.

Focus areas:

  • Injection attacks: SQL injection, command injection, path traversal, template injection
  • Authentication/Authorization: Missing auth checks, privilege escalation, IDOR
  • Secrets exposure: Hardcoded credentials, API keys in code, tokens in logs
  • Input validation: Untrusted input used without sanitization, unsafe deserialization
  • Cryptography: Weak algorithms, predictable randomness, improper key management
  • Error handling: Information leakage in error messages, stack traces exposed
  • Dependencies: Known vulnerable patterns, unsafe use of external libraries
  • Race conditions: TOCTOU bugs, unsynchronized shared state
  • Resource exhaustion: Unbounded allocations, missing timeouts, denial-of-service vectors

Rules for this review:

  • Only report findings with actual security implications. Ignore style, naming, and general code quality.
  • Severity mapping: MAJOR = exploitable vulnerability or data exposure. MINOR = defense-in-depth improvement or hardening opportunity. NIT = theoretical concern with low practical risk.
  • If the code has no security-relevant changes, APPROVE with an empty findings list.
  • Do not duplicate findings that a standard code review would catch (logic bugs, missing error checks) unless they have a security dimension.
Reference in New Issue View Git Blame Copy Permalink