Security Review Pull Request Template

Q: Security Review Pull Request Template

## Security Review PR Template Changes that affect authentication, authorization, data handling, or dependencies require heightened scrutiny. This template ensures security-relevant context is captured upfront, enabling thorough security review. ### Template Structure markdown ## Description ## Security Impact - [ ] Authentication changes - [ ] Authorization / access control changes - [ ] Data handling / PII changes - [ ] Cryptography changes -

A PR template for security-sensitive changes with threat model, attack surface analysis, dependency audit, and security testing checklist.

Specialized Templates

Detailed Explanation

Security Review PR Template

Changes that affect authentication, authorization, data handling, or dependencies require heightened scrutiny. This template ensures security-relevant context is captured upfront, enabling thorough security review.

Template Structure

## Description
<!-- Describe the security-related changes. -->

## Security Impact
- [ ] Authentication changes
- [ ] Authorization / access control changes
- [ ] Data handling / PII changes
- [ ] Cryptography changes
- [ ] Dependency updates
- [ ] API endpoint changes
- [ ] Input validation changes

## Threat Model
<!-- What threats does this change address or introduce? -->
<!-- Reference OWASP Top 10 categories if applicable. -->

## Attack Surface
<!-- Has the attack surface increased, decreased, or remained the same? -->

## Checklist
- [ ] No secrets or credentials in the code
- [ ] Input validation is in place
- [ ] SQL injection prevention verified
- [ ] XSS prevention verified
- [ ] CSRF protection maintained
- [ ] Rate limiting considered
- [ ] Error messages don't leak sensitive information
- [ ] Logging does not include PII
- [ ] Dependency vulnerabilities checked (npm audit / Snyk)

## Testing
<!-- What security testing was performed? -->
<!-- Include penetration testing, fuzzing, or static analysis results. -->

## Related Issues
<!-- Closes #(issue number) -->

Threat Model Section

Asking contributors to describe the threat model forces them to think about security implications before the review. This section should reference relevant OWASP Top 10 categories (Injection, Broken Auth, XSS, etc.).

Attack Surface Analysis

The attack surface question helps reviewers understand the security posture change. Adding a new API endpoint increases attack surface; removing an unnecessary endpoint decreases it.

Security Checklist

Each item in the security checklist addresses a common vulnerability class. The checklist is not exhaustive — it covers the most frequently encountered issues in web application development.

Dependency Auditing

The checklist includes dependency vulnerability checks because supply chain attacks are increasingly common. Tools like npm audit, Snyk, or Dependabot can automate this check.

Use Case

Applications handling sensitive data (financial, healthcare, personal information) where security review is part of the PR process. Also useful for teams with compliance requirements (SOC 2, HIPAA, PCI DSS).

Try It — PR Template Builder

Open full tool →