A security checklist for AI-generated pull requests

AI-generated code is not automatically insecure.

The problem is that it can create convincing pull requests faster than teams can inspect them. The diff may be formatted well, the helper names may look reasonable, and the tests may be green. None of that proves the change preserved the security rules your app depends on.

When I review AI-generated PRs, I use a short checklist. It is close to the way we wrote Critique's [critique-review](https://www.critique.sh/skills/critique-review) skill: establish scope, map blast radius, trace risky paths, check authorization, and only report findings that are grounded in the actual code.

No vague "this might be risky" comments. If there is a security concern, it should point to a real path and a real failure mode.

1. Start with blast radius

AI-generated code is not automatically insecure.

No vague "this might be risky" comments. If there is a security concern, it should point to a real path and a real failure mode.

1. Start with blast radius

A security checklist for AI-generated pull requests

A security checklist for AI-generated pull requests

Related reading

Securing AI Generated Code: You Ship It, You Own It

Audit AI-Generated PRs Before You Merge Them (Swarm Orchestrator 10.3.0)

AI Code Review: Helpful Assistant Or False Confidence Machine?

Your AI Writes Code Fast. Here’s How to Check It Before Shipping

Your PR Queue Is the New Technical Debt. AI Code Review Is the Fix Nobody Set…

Treat AI Coding Agents Like Untrusted Interns: A Practical Sandbox Checklist

Related reading

Securing AI Generated Code: You Ship It, You Own It

Audit AI-Generated PRs Before You Merge Them (Swarm Orchestrator 10.3.0)

AI Code Review: Helpful Assistant Or False Confidence Machine?

Your AI Writes Code Fast. Here’s How to Check It Before Shipping

Your PR Queue Is the New Technical Debt. AI Code Review Is the Fix Nobody Set…

Treat AI Coding Agents Like Untrusted Interns: A Practical Sandbox Checklist