Skip to main content

Documentation Index

Fetch the complete documentation index at: https://factory-docs-security-review-first-class.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Droid security review is a dedicated security workflow for finding high-confidence vulnerabilities in pull requests or across an entire repository. It can run locally from the CLI or automatically in GitHub Actions.

PR security review

Review only the pull request diff, trace changed data flows, and post inline security findings with severity and suggested fixes.

Full-codebase audit

Audit every source file in the repository, group files for parallel review, and produce a structured report of validated findings.

Run a full-codebase audit

For the most thorough security results, run the audit inside a Mission. Missions plan the audit upfront, fan out work across orchestrated agents, and validate findings at each milestone, which produces dramatically deeper coverage than a single-session run. From any Droid session, enter a mission and kick off the security review: 
/missions
/security-review deep audit

Periodic scan in CI

Run the same mission-based audit on a schedule by invoking droid exec --mission from a workflow: 
on:
  schedule:
    - cron: '0 6 * * 1'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          curl -fsSL https://app.factory.ai/cli | sh
          droid exec --mission --auto high -m claude-opus-4-7 \
            "/security-review across the entire repository"
        env:
          FACTORY_API_KEY: ${{ secrets.FACTORY_API_KEY }}

Run locally on a diff

To review the current diff in your working tree or branch from the CLI, run the built-in skill in any Droid session: 
/security-review local diff
When invoked on a diff, Droid traces changed data flows across authentication, authorization, validation, database, network, filesystem, and LLM boundaries, and reports validated findings inline with severity and suggested fixes.

Run in GitHub CI on pull requests

With Droid Action, comment on a pull request to trigger an on-demand security review: 
@droid security
To run security review automatically on every non-draft PR, add automatic_security_review: true to your review workflow: 
- name: Run Droid Auto Review
  uses: Factory-AI/droid-action@main
  with:
    factory_api_key: ${{ secrets.FACTORY_API_KEY }}
    automatic_review: true
    automatic_security_review: true
When automatic_review and automatic_security_review are both enabled, Droid runs the security pass alongside the standard code review and includes the security summary in the PR feedback.

Configuration

These are the Droid Action security inputs currently wired for the workflows documented on this page:
InputDefaultDescription
automatic_security_reviewfalseRun security review automatically on PRs without requiring @droid security.
security_model""Override the model used for security review candidate generation and full-repository scans. Falls back to review_model if unset.
security_severity_thresholdmediumFull-repository scans only: minimum severity to include in the generated report.
security_notify_team""Full-repository scans only: GitHub team to cc in the generated scan PR body, such as @org/security-team.

Methodology

Security review uses the built-in security-review skill. In PR automation, Droid Action runs a dedicated security-reviewer subagent that loads this methodology before reading files, then traces changed data flows across authentication, authorization, validation, database, network, filesystem, and LLM boundaries. The methodology applies multiple security frameworks together:
  • STRIDE threat modeling: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
  • OWASP Top 10:2021: Broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, authentication failures, integrity failures, logging failures, and SSRF.
  • OWASP Top 10 for LLM Applications:2025: prompt injection, sensitive information disclosure, insecure LLM output handling, excessive agency, vector/embedding weaknesses, and other AI-specific risks when the codebase uses LLMs.
  • Supply-chain analysis: dependency manifest and lockfile review, including typosquatting signals, install scripts, overly broad version ranges, and newly published packages.
  • Repository threat-model context: if .factory/threat-model.md exists, Droid uses it as the attack-surface map.

Review pipeline

Security review uses a two-pass workflow:
  1. Candidate generation: Droid reads the diff or codebase, identifies security-relevant areas, traces untrusted input across trust boundaries, and produces candidate vulnerabilities.
  2. Validation: Droid re-checks each candidate for reachability, exploitability, existing controls, and false positives before reporting it.
Findings are reported only when there is a realistic exploit path, such as an injection vulnerability, missing authentication or authorization on a sensitive operation, hardcoded secret, data exposure, unsafe LLM output handling, or risky supply-chain change.

Severity levels

SeverityPriorityExamples
CriticalP0RCE, hardcoded production secret, auth bypass, unauthenticated admin endpoint
HighP1SQL injection behind auth, stored XSS, sensitive-data IDOR, very new dependency
MediumP2CSRF on state-changing operations, information disclosure, prompt injection behind auth
LowP3Minor security hardening with a concrete but low-impact exploit path

See also