Security Review Comments
2 exercises — how to flag security vulnerabilities in code reviews with the right severity, specifics, and remediation guidance.
0 / 2 completed
Security comment essentials
- Always blocking: Security issues are never "nit" or "optional".
- Name the vulnerability: SQL injection, IDOR, XSS, hardcoded secret, missing auth check.
- Explain the attack: How could this be exploited? What is the blast radius?
- State the fix: Parameterised queries, environment variables, input validation, auth middleware.
1 / 2
You spot hardcoded credentials in a PR:
Which security review comment is best?
const API_KEY = "sk-live-abc123xyz";Which security review comment is best?
Option B is the only response that adequately handles the severity. Key elements:
1. Blocking: prefix — this is not optional.
2. Git history warning — even if removed, the key is visible in history. This is the critical insight most developers miss. Rotating the key is required regardless.
3. Correct fix — environment variable or secrets manager.
4. Merge gate — explicitly states the condition for merge.
Using "nit:" for a hardcoded credential would be a serious mistake — it signals the issue is optional. Security findings must use "Blocking:" or equivalent. For credentials exposed to git history, rotation is non-negotiable even if the PR is never merged.
1. Blocking: prefix — this is not optional.
2. Git history warning — even if removed, the key is visible in history. This is the critical insight most developers miss. Rotating the key is required regardless.
3. Correct fix — environment variable or secrets manager.
4. Merge gate — explicitly states the condition for merge.
Using "nit:" for a hardcoded credential would be a serious mistake — it signals the issue is optional. Security findings must use "Blocking:" or equivalent. For credentials exposed to git history, rotation is non-negotiable even if the PR is never merged.
Continue learning: Security Vocabulary →