Secure Code Review Checklist Practical checklist for human-led application security review.

This repository is maintained by Code Assure Lab as a lightweight reference for reviewing security-sensitive source code changes, pull requests, and application components. It is designed for defensive review work on owned or authorized systems.

Review Scope Use this checklist when reviewing:

Authentication and session handling Authorization and access control decisions Input validation and output encoding Sensitive data handling Secrets and configuration exposure Dependency updates and security patches Logging, error handling, and audit events Security-sensitive pull requests Authentication Confirm password, token, and session flows match the intended trust boundary. Check whether session expiration and refresh behavior are explicit. Review account recovery, email verification, and MFA-related logic. Confirm authentication errors do not reveal unnecessary account state. Authorization Identify protected resources and the user or service roles allowed to access them. Verify that authorization checks happen server-side. Confirm object-level access checks for records, projects, files, and API resources. Review default-deny behavior for missing or invalid role information. Input Handling Identify externally controlled input from HTTP requests, queues, files, webhooks, and CLI arguments. Confirm validation happens before the input reaches security-sensitive operations. Review encoding and escaping at output boundaries. Check file upload type, size, storage path, and metadata handling. Sensitive Data Confirm secrets are not committed, logged, or returned in API responses. Review how credentials, tokens, and private keys are stored and rotated. Confirm personal or sensitive data is minimized in logs and diagnostics. Check whether test fixtures include real production-like secrets. Dependency Updates Identify the vulnerable package, affected version range, and reachable code path. Confirm the proposed update is compatible with runtime constraints. Review changelog notes for breaking behavior. Add regression checks where the dependency behavior affects security logic. Patch Review Confirm the patch addresses the root cause, not only the visible symptom. Check adjacent code paths that use the same helper, parser, or policy decision. Review failure modes and error handling introduced by the patch. Confirm tests cover the security-relevant behavior. Responsible Use This checklist is for defensive software review. It should be used only on code, applications, and systems that are owned by the reviewer or explicitly authorized for assessment. It is not intended for autonomous exploitation, credential theft, persistence, malware development, or unsupervised testing against third-party systems.