Skip to main content
CodePeelCodePeelDocs
Back

Get Started

Getting StartedFeaturesBilling

Integrations

VS Code ExtensionMCP Server@codepeel Chat

Configuration

.codepeel.ymlPre-merge ChecksLearnings

Automation

Auto-TestAuto-Fix

Reference

SecurityFAQ

Security Scanning

CodePeel runs four layers of security analysis on every pull request.

The Four Layers

1. Secret Scanning (Instant)

Runs immediately on every diff, before AI analysis starts. Findings are posted within seconds.

Detects: AWS keys, GitHub tokens, Google API keys, Stripe/Twilio/SendGrid keys, database connection strings, JWT secrets, private keys, and generic patterns (password=, secret=, token=).

2. AI Security Analysis (~10–30s)

Deep analysis for exploitable vulnerabilities: injection attacks, XSS, path traversal, auth flaws, data exposure, cryptographic misuse.

3. SAST — Static Analysis (~10–20s)

Pattern-based detection: unsafe deserialization, prototype pollution, ReDoS, XXE, SSRF, insecure direct object references.

4. Architecture Security Review (~15–25s)

For larger PRs: auth flow correctness, data flow security, trust boundaries, error handling leaks.

Severity Levels

SeverityEmojiCriteriaWhere it appears
Critical🔴Exploitable remotely, credential leak, auth bypassPR inline comment
Major🟠Significant vulnerability with clear exploit vectorPR inline comment
Minor🟡Requires specific conditions to exploitPR inline comment
Trivial🔵Minor recommendationDashboard only

What to Do When You See a Critical Finding

  1. Don't merge the PR. Critical findings indicate exploitable vulnerabilities.
  2. Read the explanation — the comment describes the attack vector and impact.
  3. Apply the suggested fix — click "Commit suggestion" or implement the recommendation.
  4. Push the fix — CodePeel re-reviews and confirms the issue is resolved.
  5. If you disagree — reply @codepeel dismiss on the comment.

Never merge with an unresolved 🔴 Critical finding.

How to Add Custom Secret Patterns

Step 1: Identify your pattern

Determine the regex for your custom secrets. Example: if your keys look like MYAPP_KEY_abc123def456:

MYAPP_KEY_[A-Za-z0-9]{12}

Step 2: Add to .codepeel.yml

security:
  custom_patterns:
    - "MYAPP_KEY_[A-Za-z0-9]{12}"
    - "Bearer [A-Za-z0-9-._~+/]+=*"

Step 3: Test it

Push a PR containing a string matching your pattern. CodePeel flags it within seconds.

Custom patterns are checked during instant secret scanning — they don't wait for AI analysis.

Security-Only Mode

Focus reviews exclusively on security:

securityOnly: true

This skips style, performance, and best practice findings. Combine with strictMode: true for maximum security coverage.

Health Score

SeverityDeductionMax penalty
Critical-20-50
Major-10-30
Minor-4-15
Trivial-1-5
ScoreRisk Level
80–100Low risk
60–79Moderate risk
40–59High risk
0–39Critical risk

Best Practices

  • Act on critical findings immediately — don't merge with known vulnerabilities
  • Add custom patterns for your organization's secret formats
  • Enable strictMode for security-sensitive repositories
  • Use expert_rules to enforce security policies: 
    expert_rules:
  - "All database queries must use parameterized statements"
  - "Never log request bodies that may contain PII"
← All docsCodePeel