Skip to content

Security Tooling / AI Security

AI-Assisted Code Review & Vulnerability Auditing

Built AI-assisted workflows that helped scale code review, vulnerability auditing, and detection logic authoring beyond what a small security team could do manually.

AI SecurityCode ReviewSecurity ToolingCI/CDPython

Problem

A small security team couldn't review every pull request or audit every dependency update for security implications. Vulnerability scanning tools caught known CVEs but missed logic flaws, misconfigurations, and subtle auth issues.

Constraints

Could not slow down engineering velocity, findings needed to be high-signal to earn trust from developers, AI output required human validation before action, and the tooling had to integrate into existing CI/CD workflows.

Approach

Built a pipeline that flagged security-relevant PRs (auth changes, crypto, IAM policy modifications, dependency updates) and ran them through an AI-assisted review that looked for common vulnerability patterns, misconfigured permissions, and logic flaws. Results were posted as structured PR comments with severity and remediation guidance. All findings went through human review before any action was taken. Extended the same approach to automate detection rule drafting and validation against historical alert data.

Outcome

Caught vulnerabilities that static analysis missed, including auth bypass logic and overly permissive IAM policies in Terraform. Security team scaled review coverage 3x without adding headcount. Engineering teams started proactively requesting security review because the feedback was useful, not just noise.

Terminal

~/security/notes
# PR flagged: modifies IAM policy in terraform
$ python3 sec_review.py --pr 1847 --repo internal/infra
[+] PR #1847: 3 files changed, 2 security-relevant
[+] Scanning: modules/iam/policy.tf
[!] FINDING: s3:* action granted to role with no resource constraint
    Severity: HIGH
    Suggestion: scope to specific bucket ARN, not wildcard
[+] Scanning: modules/iam/trust-policy.tf
[!] FINDING: AssumeRole trust allows any principal in account
    Severity: CRITICAL
    Suggestion: restrict to specific role ARNs
[+] Posted review comment to PR #1847 (pending human approval)

Tools

PythonGitHub APICI/CDLLM APIsTerraformStatic Analysis

Key Highlights

  • LLM-assisted code review for security-relevant PRs
  • Automated vulnerability pattern detection in CI pipelines
  • AI-assisted detection rule authoring and validation
  • Human-in-the-loop review for all AI-generated findings
  • Scaled security coverage without scaling headcount
Details are intentionally sanitized to protect employer and client confidentiality.
← All WorkDiscuss Security Work