// tool reference · Vulnerability & Assessment
AI Security Code Reviewer Free
Defensive SAST: find vulnerabilities in pasted code and how to fix them.
Open AI Security Code Reviewer →
What it does
Paste a snippet and get vulnerabilities identified with CWE IDs and a corrected rewrite. Built for the review moment, not for a full codebase.
When to use it
- Reviewing a PR; checking a pattern you are unsure about; learning why something is unsafe.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| code | textarea | required | The snippet. |
| lang | select | optional | Language hint. |
What you get back
Findings with CWE ID, severity, an explanation, and the fixed code.
Worked example
Input
$q = "SELECT * FROM users WHERE id = " . $_GET['id']; $r = $db->query($q);
Output (abridged)
CRITICAL CWE-89 SQL Injection
$_GET['id'] is concatenated into SQL. ?id=1 OR 1=1 returns every
row; ?id=1; DROP TABLE users-- may execute if multi-statement is on.
FIX
$st = $db->prepare('SELECT * FROM users WHERE id = ?');
$st->execute([(int)$_GET['id']]);
$r = $st->fetchAll();
Also set PDO::ATTR_EMULATE_PREPARES => false so these are true
server-side prepares rather than client-side interpolation.
How it works
AI review against a security-focused prompt. Advisory — no code is executed.
Limits
Read live from the platform configuration.
| Rate limit | 6 requests / 10 minutes |
Privacy
Your snippet is sent to the AI provider. Do not paste secrets.
Standards
CWEOWASP Top 10
Related tools
AI Patch Generator
Minimal, behavior-preserving secure refactors with before/after diffs.
Secret Scanner
Find hardcoded credentials, API keys and tokens in a blob of text or code.
AI Config & IaC Auditor
Paste a Dockerfile, nginx, .env, compose/K8s, Actions or Terraform for ranked misconfigs and fixes.