Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.factory.ai/llms.txt

Use this file to discover all available pages before exploring further.

Droid security review is a dedicated security workflow for finding high-confidence vulnerabilities in pull requests or across an entire repository. It can run locally from the CLI or automatically in GitHub Actions.

PR security review

Review only the pull request diff, trace changed data flows, and post inline security findings with severity and suggested fixes.

Full-codebase audit

Audit every source file in the repository, group files for parallel review, and produce a structured report of validated findings.

Methodology

Security review uses the built-in security-review skill. In PR automation, Droid Action runs a dedicated security-reviewer subagent that loads this methodology before reading files, then traces changed data flows across authentication, authorization, validation, database, network, filesystem, and LLM boundaries. The methodology applies multiple security frameworks together:
  • STRIDE threat modeling: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
  • OWASP Top 10:2021: Broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, authentication failures, integrity failures, logging failures, and SSRF.
  • OWASP Top 10 for LLM Applications:2025: prompt injection, sensitive information disclosure, insecure LLM output handling, excessive agency, vector/embedding weaknesses, and other AI-specific risks when the codebase uses LLMs.
  • Supply-chain analysis: dependency manifest and lockfile review, including typosquatting signals, install scripts, overly broad version ranges, and newly published packages.
  • Repository threat-model context: if .factory/threat-model.md exists, Droid uses it as the attack-surface map.

Review pipeline

Security review uses a two-pass workflow:
  1. Candidate generation: Droid reads the diff or codebase, identifies security-relevant areas, traces untrusted input across trust boundaries, and produces candidate vulnerabilities.
  2. Validation: Droid re-checks each candidate for reachability, exploitability, existing controls, and false positives before reporting it.
Findings are reported only when there is a realistic exploit path, such as an injection vulnerability, missing authentication or authorization on a sensitive operation, hardcoded secret, data exposure, unsafe LLM output handling, or risky supply-chain change.

Severity levels

SeverityPriorityExamples
CriticalP0RCE, hardcoded production secret, auth bypass, unauthenticated admin endpoint
HighP1SQL injection behind auth, stored XSS, sensitive-data IDOR, very new dependency
MediumP2CSRF on state-changing operations, information disclosure, prompt injection behind auth
LowP3Minor security hardening with a concrete but low-impact exploit path

Run locally

Run the built-in skill directly from Droid on any repo: 
/security-review
Local security review can audit the full codebase, not just the current diff. Droid enumerates source files in the repository, skips generated and vendored directories, groups files by module or directory, and validates findings before reporting them.

Run on pull requests

With Droid Action, comment on a pull request to trigger an on-demand security review: 
@droid security
To run security review automatically on every non-draft PR, add automatic_security_review: true to your review workflow: 
- name: Run Droid Auto Review
  uses: Factory-AI/droid-action@main
  with:
    factory_api_key: ${{ secrets.FACTORY_API_KEY }}
    automatic_review: true
    automatic_security_review: true
When automatic_review and automatic_security_review are both enabled, Droid runs the security pass alongside the standard code review and includes the security summary in the PR feedback.

Full repository scans in GitHub Actions

For a full repository security scan, comment on a PR: 
@droid security --full
Full scans create a droid/security-report-{date} branch, write a report to .factory/security/reports/security-report-{date}.md, and open a PR with the findings.

Configuration

These are the Droid Action security inputs currently wired for the workflows documented on this page:
InputDefaultDescription
automatic_security_reviewfalseRun security review automatically on PRs without requiring @droid security.
security_model""Override the model used for security review candidate generation and full-repository scans. Falls back to review_model if unset.
security_severity_thresholdmediumFull-repository scans only: minimum severity to include in the generated report.
security_notify_team""Full-repository scans only: GitHub team to cc in the generated scan PR body, such as @org/security-team.

See also