Apply CodeRabbit security best practices for secrets and access control.
Use when securing API keys, implementing least privilege access,
or auditing CodeRabbit security configuration.
Trigger with phrases like "coderabbit security", "coderabbit secrets",
"secure coderabbit", "coderabbit API key security".
Configure CodeRabbit to catch security vulnerabilities, hardcoded secrets, and insecure patterns in pull requests. CodeRabbit's AI review can detect security issues that static analysis tools miss because it understands code context and intent. This skill covers security-focused configuration, secret detection instructions, and compliance-oriented review policies.
Prerequisites
CodeRabbit installed on repository
.coderabbit.yaml in repository root
Understanding of security requirements for your codebase
Security Coverage
Category
CodeRabbit Detection
Complementary Tool
Hardcoded secrets
Path instructions + AI detection
GitHub Secret Scanning, GitLeaks
SQL injection
Path instructions for DB code
SonarCloud, Semgrep
XSS vulnerabilities
Path instructions for frontend
ESLint security plugins
Auth bypass
Path instructions for auth code
Manual review
Insecure dependencies
Limited (reviews import patterns)
Dependabot, Renovate
OWASP Top 10
Path instructions covering each risk
Dedicated SAST tools
Instructions
Step 1: Configure Security-Focused Review
# .coderabbit.yaml - Security-hardened configuration
language: "en-US"
reviews:
profile: "assertive"
request_changes_workflow: true # Block merge on security findings
auto_review:
enabled: true
drafts: false
base_branches: [main, develop]
# Exclude secrets files from AI processing
path_filters:
- "!**/.env*"
- "!**/credentials*"
- "!**/secrets*"
- "!**/*.pem"
- "!**/*.key"
- "!**/*.p12"
- "!**/*.pfx"
- "!**/serviceAccountKey*"
- "!**/terraform.tfstate*"
- "!**/*.tfvars"
- "!**/*.lock"
- "!dist/**"
- "!vendor/**"
path_instructions:
# Global security rules
- path: "**"
instructions: |
SECURITY REVIEW: Flag any of these as HIGH severity:
- Hardcoded API keys, tokens, passwords, or connection strings
- AWS access keys (AKIA...), GCP service account keys
- Private keys or certificates in source code
- JWT secrets or signing keys
- Database credentials in code (not env vars)
- Webhook URLs with tokens in query parameters
- Disabled SSL/TLS verification
- eval() or equivalent dynamic code execution
# API security
- path: "src/api/**"
instructions: |
API security checks:
- Input validation: all request parameters validated before use
- Authentication: auth middleware on all non-public endpoints
- Authorization: proper role/permission checks
- Rate limiting: endpoints have rate limits configured
- Error responses: no stack traces or internal details exposed
- CORS: properly configured, not wildcard (*)
- SQL injection: parameterized queries only, no string concat
# Authentication code
- path: "src/auth/**"
instructions: |
CRITICAL SECURITY PATH. Review for:
- Password hashing: bcrypt or argon2 ONLY (flag MD5, SHA-1, SHA-256)
- Token expiry: access tokens < 1 hour, refresh tokens < 30 days
- Session fixation: new session ID after authentication
- CSRF protection: anti-CSRF tokens on state-changing operations
- Brute force protection: account lockout or rate limiting on login
- No timing attacks in comparison (use constant-time comparison)
# Database code
- path: "src/db/**"
instructions: |
Database security checks:
- Parameterized queries ONLY (flag any string concatenation in SQL)
- No sensitive data in error messages (e.g., full query text)
- Connection strings from env vars (not hardcoded)
- Principle of least privilege for DB user accounts
- Transactions for multi-step operations
# CI/CD pipelines
- path: ".github/workflows/**"
instructions: |
CI/CD security checks:
- Pin ALL action versions to SHA commit hash (not tags)
- No secrets in step names, echo statements, or log output
- Include timeout-minutes on all jobs
- Use OIDC for cloud provider auth (not long-lived keys)
- No curl | sh patterns (supply chain risk)
- Restrict workflow permissions to minimum required
# Infrastructure as code
- path: "**/*.tf"
instructions: |
Terraform security:
- No hardcoded credentials or access keys
- S3 buckets: encryption enabled, public access blocked
- Security groups: no 0.0.0.0/0 ingress except port 443
- RDS/databases: encryption at rest enabled, no public access
- IAM roles: least privilege, no wildcard (*) actions
# Docker
- path: "**/Dockerfile"
instructions: |
Container security:
- No secrets in ENV or ARG instructions
- Use specific image tags (not :latest)
- Run as non-root user (USER instruction)
- Multi-stage builds to reduce attack surface
- No sensitive files copied into image
chat:
auto_reply: true
Step 2: Secret Detection with GitHub Integration
# .github/workflows/security-review.yml
name: Security Review
on:
pull_request:
types: [opened, synchronize]
jobs:
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan for secrets in PR diff
run: |
# Check PR diff for common secret patterns
DIFF=$(git diff origin/${{ github.base_ref }}...HEAD)
PATTERNS=(
"AKIA[0-9A-Z]{16}" # AWS access key
"(?i)(api[_-]?key|apikey)\s*[:=]\s*['\"][^'\"]{16,}" # API keys
"(?i)(password|passwd|pwd)\s*[:=]\s*['\"][^'\"]{8,}" # Passwords
"ghp_[a-zA-Z0-9]{36}" # GitHub PAT
"sk-[a-zA-Z0-9]{48}" # OpenAI key
"-----BEGIN.*PRIVATE KEY" # Private keys
)
FOUND=0
for PATTERN in "${PATTERNS[@]}"; do
if echo "$DIFF" | grep -qP "$PATTERN"; then
echo "::error::Potential secret found matching pattern: $PATTERN"
FOUND=1
fi
done
if [ "$FOUND" -eq 1 ]; then
echo "::error::Secret-like patterns detected in PR. Review before merging."
exit 1
fi
Step 3: Security Review Learnings
# Train CodeRabbit to catch your team's specific security patterns:
# In a PR comment, reply to a CodeRabbit review:
"Good catch! We always want to flag missing CSRF tokens in POST handlers."
"We use Helmet.js for security headers. If you see an Express route
without `app.use(helmet())`, flag it as a security issue."
"In this project, all database queries must go through the QueryBuilder class.
Direct SQL strings are a security violation."
# These learnings persist across PRs and repos in the organization.
Step 4: Security Audit Script
set -euo pipefail
echo "=== CodeRabbit Security Configuration Audit ==="
# Check .coderabbit.yaml for security settings
if [ -f .coderabbit.yaml ]; then
python3 -c "
import yaml
config = yaml.safe_load(open('.coderabbit.yaml'))
reviews = config.get('reviews', {})
path_filters = reviews.get('path_filters', [])
path_instructions = reviews.get('path_instructions', [])
# Check if sensitive files are excluded
sensitive_patterns = ['.env', '.pem', '.key', 'credentials', 'secrets', 'tfstate', 'tfvars']
excluded = [p for p in path_filters if any(s in p for s in sensitive_patterns)]
print(f'Sensitive file exclusions: {len(excluded)}/{len(sensitive_patterns)} patterns')
# Check if security instructions exist
security_keywords = ['security', 'injection', 'credential', 'secret', 'auth', 'password']
has_security = any(
any(kw in str(pi.get('instructions', '')).lower() for kw in security_keywords)
for pi in path_instructions
)
print(f'Security path_instructions: {\"YES\" if has_security else \"MISSING\"} ')
# Check if request_changes_workflow blocks on issues
blocks = reviews.get('request_changes_workflow', False)
print(f'Blocks merge on issues: {\"YES\" if blocks else \"NO (consider enabling)\"}')
# Check auto_review settings
auto = reviews.get('auto_review', {})
print(f'Drafts reviewed: {\"YES (risky)\" if auto.get(\"drafts\", True) else \"NO (good)\"}')
" 2>&1
else
echo "WARNING: .coderabbit.yaml not found"
fi
Output
Security-focused .coderabbit.yaml with path instructions for critical code areas
Secret detection patterns in CI pipeline
CodeRabbit learnings trained for team-specific security rules