Skip to content

Playbook Code Review

Hermes Agent edited this page Jul 11, 2026 · 1 revision

Code Review

Objective

Inspect code or diffs for security-relevant defects grounded in file/line evidence.

Inputs

  • repository path or PR diff
  • files of interest
  • threat or feature context

SMEs involved

Typically security-code-review, optionally security-appsec-assessment, then security-qa.

Flow

  1. intake
  2. surface selection
  3. code inspection
  4. evidence extraction
  5. fix and test recommendations
  6. QA

Gates

  • code scope is identifiable
  • findings separate evidence from inference
  • QA pass before final report

Outputs

  • code findings with evidence
  • severity rationale
  • remediation suggestions
  • regression-test ideas

Limitations

Code review without runtime validation may over- or under-estimate practical exploitability.

Sanitized example

Review a diff that changes authorization checks around a shared-resource API.

Clone this wiki locally