Review PRs For Security Issues
Automatically reviews GitHub pull requests for security vulnerabilities, logic errors, performance issues, and test coverage gaps, then emails the structured report to the PR author.
What It Does
Triggers automatically every time a pull request is opened or updated in your GitHub repository. It fetches the complete code diff, runs a comprehensive AI review covering security vulnerabilities (OWASP Top 10), logic errors, code quality issues, performance concerns, and test coverage gaps — then sends a structured review to the PR author's email before any human reviewer has even opened the PR.
How It Works
| Step | Node | What Happens |
|---|---|---|
| 1 | Webhook Trigger | GitHub calls this webhook whenever a PR is opened or updated (pull_request event, actions: opened, synchronize) |
| 2 | GitHub | Fetches the list of changed files and their diffs using the GitHub API |
| 3 | AI Agent | Performs a structured code review across 5 dimensions: security (OWASP Top 10), logic errors, code quality, performance, and test coverage. Each issue is classified by severity with file location and fix recommendation |
| 4 | Gmail | Sends the formatted HTML review report to the PR author's email with the subject "AI Code Review: [PR Title]" |
What You Get
For every PR opened, the review covers:
- Critical security issues — SQL injection, XSS, CSRF, exposed secrets, SSRF, broken authentication
- Logic errors — null handling, race conditions, off-by-one errors, async misuse
- Code quality warnings — naming, complexity, duplication, SOLID violations
- Performance flags — N+1 queries, blocking calls, inefficient loop patterns
- Test coverage gaps — edge cases the new code is missing
- Final recommendation — APPROVE, REQUEST CHANGES, or BLOCK MERGE
Why It Matters
A security vulnerability that makes it to production costs 100x more to fix than one caught in code review. But engineers are busy — PRs sit unreviewed for days, or get rubber-stamped to unblock the sprint. This workflow makes a professional security audit the default for every PR, not the exception. Teams that use it merge fewer bugs, catch vulnerabilities before they reach production, and spend human review time on architecture decisions rather than typos.
Who It's For
- Engineering teams where PRs wait days for review
- Startups that can't afford a dedicated security review process
- Tech leads who want automated review hygiene without expensive per-seat tooling
- Any team that has shipped a bug or security issue that could have been caught in code review
Setup
- Connect your GitHub account in Needle (needs repo read access).
- Connect your Gmail account (to send review emails).
- Publish the workflow and copy the Webhook Trigger URL from the Needle canvas.
- Go to your GitHub repo → Settings → Webhooks → Add webhook:
- Payload URL: paste the Needle webhook URL
- Content type:
application/json - Events: select "Pull requests" only
- Active: checked, then Save
- Open a test PR — the review email should arrive within about 2 minutes.
Customization Ideas
- Add your team's coding standards to the AI agent prompt (e.g., "We use React hooks — flag
useStatemisuse"). - Restrict reviews to specific file types by adding a filter node after the GitHub node.
- Send results to Slack instead of (or in addition to) Gmail by adding a Slack node.
- Add a minimum PR size filter to skip PRs with fewer than 10 lines changed.
Want to showcase your own workflows?
Become a Needle workflow partner and turn your expertise into recurring revenue.
