> ## Documentation Index
> Fetch the complete documentation index at: https://factory-apigettingstarted.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Review

> Run security-focused PR reviews and full-codebase audits with Droid using STRIDE, OWASP, and supply-chain methodology.

Droid security review is a dedicated security workflow for finding high-confidence vulnerabilities in pull requests or across an entire repository. It can run locally from the CLI or automatically in GitHub Actions.

<CardGroup cols={2}>
  <Card title="PR security review" icon="shield-halved">
    Review only the pull request diff, trace changed data flows, and post inline security findings with severity and suggested fixes.
  </Card>

  <Card title="Full-codebase audit" icon="magnifying-glass">
    Audit every source file in the repository, group files for parallel review, and produce a structured report of validated findings.
  </Card>
</CardGroup>

## Methodology

Security review uses the built-in `security-review` skill. In PR automation, Droid Action runs a dedicated `security-reviewer` subagent that loads this methodology before reading files, then traces changed data flows across authentication, authorization, validation, database, network, filesystem, and LLM boundaries.

The methodology applies multiple security frameworks together:

* **STRIDE threat modeling**: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
* **OWASP Top 10:2021**: Broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, authentication failures, integrity failures, logging failures, and SSRF.
* **OWASP Top 10 for LLM Applications:2025**: prompt injection, sensitive information disclosure, insecure LLM output handling, excessive agency, vector/embedding weaknesses, and other AI-specific risks when the codebase uses LLMs.
* **Supply-chain analysis**: dependency manifest and lockfile review, including typosquatting signals, install scripts, overly broad version ranges, and newly published packages.
* **Repository threat-model context**: if `.factory/threat-model.md` exists, Droid uses it as the attack-surface map.

## Review pipeline

Security review uses a two-pass workflow:

1. **Candidate generation**: Droid reads the diff or codebase, identifies security-relevant areas, traces untrusted input across trust boundaries, and produces candidate vulnerabilities.
2. **Validation**: Droid re-checks each candidate for reachability, exploitability, existing controls, and false positives before reporting it.

Findings are reported only when there is a realistic exploit path, such as an injection vulnerability, missing authentication or authorization on a sensitive operation, hardcoded secret, data exposure, unsafe LLM output handling, or risky supply-chain change.

## Severity levels

| Severity | Priority | Examples                                                                                |
| -------- | -------- | --------------------------------------------------------------------------------------- |
| Critical | `P0`     | RCE, hardcoded production secret, auth bypass, unauthenticated admin endpoint           |
| High     | `P1`     | SQL injection behind auth, stored XSS, sensitive-data IDOR, very new dependency         |
| Medium   | `P2`     | CSRF on state-changing operations, information disclosure, prompt injection behind auth |
| Low      | `P3`     | Minor security hardening with a concrete but low-impact exploit path                    |

## Run locally

Run the built-in skill directly from Droid on any repo:

```text theme={null}
/security-review
```

Local security review can audit the full codebase, not just the current diff. Droid enumerates source files in the repository, skips generated and vendored directories, groups files by module or directory, and validates findings before reporting them.

## Run on pull requests

With [Droid Action](https://github.com/Factory-AI/droid-action), comment on a pull request to trigger an on-demand security review:

```text theme={null}
@droid security
```

To run security review automatically on every non-draft PR, add `automatic_security_review: true` to your review workflow:

```yaml theme={null}
- name: Run Droid Auto Review
  uses: Factory-AI/droid-action@main
  with:
    factory_api_key: ${{ secrets.FACTORY_API_KEY }}
    automatic_review: true
    automatic_security_review: true
```

When `automatic_review` and `automatic_security_review` are both enabled, Droid runs the security pass alongside the standard code review and includes the security summary in the PR feedback.

## Full repository scans in GitHub Actions

For a full repository security scan, comment on a PR:

```text theme={null}
@droid security --full
```

Full scans create a `droid/security-report-{date}` branch, write a report to `.factory/security/reports/security-report-{date}.md`, and open a PR with the findings.

## Configuration

These are the Droid Action security inputs currently wired for the workflows documented on this page:

| Input                         | Default  | Description                                                                                                                        |
| ----------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| `automatic_security_review`   | `false`  | Run security review automatically on PRs without requiring `@droid security`.                                                      |
| `security_model`              | `""`     | Override the model used for security review candidate generation and full-repository scans. Falls back to `review_model` if unset. |
| `security_severity_threshold` | `medium` | Full-repository scans only: minimum severity to include in the generated report.                                                   |
| `security_notify_team`        | `""`     | Full-repository scans only: GitHub team to cc in the generated scan PR body, such as `@org/security-team`.                         |

## See also

* [Automated Code Review](/guides/droid-exec/code-review): Standard PR code review automation.
* [Skills](/cli/configuration/skills): How to invoke and customize skills.
* [GitHub Integration Security](/enterprise/github-integration-security): Security architecture for the GitHub App integration.
