How AI Code Review Catches Security Vulnerabilities Before Production
Security vulnerabilities are dramatically cheaper to fix at code review time than after deployment. Merlin AI Code Review's /security command runs a dedicated OWASP-focused analysis on every PR diff, surfacing injection vulnerabilities, secret leakage, authentication bypasses, and more — before a single line ships to production.
The cost of catching security issues late
Industry data consistently shows that the cost of fixing a security defect increases by 10–100x as it moves through the development lifecycle. A vulnerability caught at PR review costs an hour to fix. The same vulnerability caught in production may cost days of incident response, customer notification, regulatory reporting, and reputation damage.
Most teams rely on human reviewers to catch security issues — but security expertise is unevenly distributed. A frontend engineer reviewing a backend authentication change may miss subtle session management flaws. A new hire may not recognize insecure deserialization patterns. AI review applies consistent security scrutiny regardless of reviewer expertise.
What Merlin AI Code Review's security scan covers
The /security command performs a dedicated pass covering:
- Injection vulnerabilities — SQL injection, command injection, LDAP injection, XPath injection
- XSS — reflected, stored, and DOM-based cross-site scripting patterns
- Authentication and session — weak session tokens, missing authentication checks, privilege escalation paths
- Cryptographic issues — use of broken algorithms (MD5, SHA1), hardcoded secrets, weak random number generation
- Secret detection — API keys, credentials, tokens committed in source code
- Insecure deserialization — unsafe object deserialization patterns
- SSRF — server-side request forgery in HTTP client code
- Dependency vulnerabilities — flagging changed dependencies with known CVEs (integrates with
/snyk)
Running a security scan
# Trigger a dedicated security scan from a PR comment@merlin /security# Or run it directly in CI$ merlin run /security
Merlin AI Code Review posts a structured security report as a PR comment with severity ratings (Critical / High / Medium / Low), affected lines, and remediation guidance. Critical findings block the PR approval flow when /approve is configured.
Example: catching SQL injection in a PR
Consider this diff in a Node.js service:
// PR adds this functionasync function getUserById(userId) {const query = `SELECT * FROM users WHERE id = ${userId}`;return db.query(query);}
Merlin AI Code Review's security scan flags this as a Critical SQL injection vulnerability and suggests:
// Merlin AI Code Review suggestion: use parameterized queryasync function getUserById(userId) {return db.query("SELECT * FROM users WHERE id = $1", [userId]);}
The fix is posted as a GitHub suggestion block — one click to apply it.
Automatic security on every PR
Rather than running /security manually, teams typically configure it to run automatically alongside the standard review. Add it to your CI workflow:
- run: |./merlin review./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Privacy: your code stays in your infrastructure
Security-conscious teams often hesitate to use cloud-based scanning tools because the tool receives sensitive source code. With Merlin AI Code Review, the binary runs inside your CI runner — your code never leaves your infrastructure. The AI API call contains only the diff, not your full codebase.