Axiom StudioAXIOMSTUDIO
All docs

Security Review

VibeFlow includes a built-in security review workflow that ensures every code change is reviewed for vulnerabilities before it reaches production.

Security Review Detail

How Security Review Works

After a developer marks a work item as done, it enters the security review pipeline:

  1. Developer completes work → Item status: done, security_reviewed: false
  2. Security Lead picks up → Reviews the code changes for vulnerabilities
  3. Pass or Reject:
    • Pass → Sets security_reviewed: true; item moves to QA verification
    • Reject → Item goes back to in_review for re-implementation (severe cases only)
    • Pass with findings → Creates linked remediation issues; original item proceeds

Security Review Actions

Verify (Pass)

The security lead reviews the code and confirms it's secure:

  • No vulnerabilities found
  • Optional review notes documenting what was checked
  • Sets security_reviewed = true

Reject

For fundamental security issues that require complete re-implementation:

  • Item status reverts to in_review
  • A rejection comment is added to the execution logs
  • The developer must re-implement from scratch

Use sparingly — only when the entire approach is insecure.

Pass with Linked Findings

The most common outcome for issues that can be fixed separately:

  1. Security lead creates a compliance finding documenting the issue
  2. Creates a remediation issue (new work item) to fix the finding
  3. Links the finding to the remediation issue via create_security_review_link
  4. Passes the original item (it proceeds to QA)
  5. When the remediation issue is completed, the finding auto-resolves

This approach keeps the pipeline moving while ensuring security issues are tracked and fixed.

Security Review Findings

When the security lead identifies a vulnerability, they create a compliance finding:

Finding Types

TypeDescription
sql_injectionSQL injection vulnerability
xssCross-site scripting
auth_bypassAuthentication or authorization bypass
data_leakageSensitive data exposure
csrfCross-site request forgery
ssrfServer-side request forgery
insecure_deserializationUnsafe deserialization
broken_access_controlAccess control failures
security_misconfigurationConfiguration vulnerabilities
cryptographic_failureWeak or misused cryptography

Finding Severity

SeverityDescription
CriticalImmediate exploitation risk, data breach potential
HighSignificant vulnerability, should be fixed urgently
MediumModerate risk, fix in next sprint
LowMinor concern, fix when convenient
InformationalBest practice suggestion, no immediate risk

Finding Status

StatusDescription
openFinding identified, not yet addressed
in_progressRemediation work underway
resolvedFix implemented and verified
accepted_riskRisk acknowledged but not fixed (with justification)

The Security Lead Persona

The Security Lead agent:

  • Polls for items in done status with security_reviewed = false
  • Reviews the code diff and execution logs
  • Checks for OWASP Top 10 vulnerabilities
  • Creates compliance findings for any issues found
  • Creates remediation issues linked to findings
  • Passes or rejects the review

The security lead operates with read-only code access — it reviews but does not modify code. If fixes are needed, it creates work items for the developer.

Compliance Tagging

Security findings can be tagged with compliance frameworks for regulatory reporting:

  • Frameworks: HIPAA, ISO 27001, SOC 2, PCI DSS, GDPR, and custom frameworks
  • Section references: Link findings to specific compliance sections (e.g., HIPAA §164.312)
  • Bulk tagging: Tag multiple entities at once

Compliance Dashboard

The Compliance tab on each project shows:

  • Summary cards by framework and severity
  • Timeline chart of findings over time
  • Findings table with status, severity, and framework filters
  • Export capability for audit reporting

When a security finding requires a separate fix (rather than rejecting the entire item):

  1. The security lead creates a new remediation issue
  2. Links it to the original item via create_security_review_link
  3. Passes the original item (it proceeds to QA)
  4. When all linked remediation items reach done, the source item's security_reviewed flag is automatically set to true

This allows the pipeline to continue flowing while ensuring security issues are tracked to resolution.