← Back to Home

April 13, 2026

By the CodeAudit Team

5 Common Security Issues in Pull Requests

Security vulnerabilities in production code are every developer's nightmare. What's worse is that many of these issues could have been caught during the pull request review phase. In this post, we'll examine the five most common security issues that slip through pull requests and how automated code review can help prevent them.

1. Hardcoded Credentials

The most common security vulnerability by far is hardcoded credentials. This happens when developers accidentally commit API keys, passwords, tokens, or other secrets directly into the codebase.

// ⚠️ DON'T DO THIS
const apiKey = "AIzaSyBk7Xq1Y2Z3W4V5U6T7S8R9Q0P1O2N3M4";
const dbPassword = "super_secret_password_123";

Even if removed in a subsequent commit, the credential is forever in git history and accessible to anyone with repository access.

How to fix: Use environment variables, secret management services, or encrypted configuration files. Automated review tools can detect patterns like `api_key = "..."` or `password = "..."` and flag them before they're merged.

2. SQL Injection Vulnerabilities

SQL injection remains one of the most dangerous web vulnerabilities, yet it continues to appear in pull requests. The issue occurs when user input is concatenated directly into database queries.

// ⚠️ VULNERABLE
const query = "SELECT * FROM users WHERE id = " + userId;
db.execute(query);

// ✅ SECURE (using parameterized queries)
const query = "SELECT * FROM users WHERE id = ?";
db.execute(query, [userId]);

SQL injection can allow attackers to access, modify, or delete database data entirely.

How to fix: Always use parameterized queries or ORM methods that handle escaping automatically. Automated tools can detect when variables are concatenated into SQL strings.

3. Cross-Site Scripting (XSS)

XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. A common cause is using innerHTML with untrusted data.

// ⚠️ VULNERABLE
element.innerHTML = userInput; // Executes any script in userInput

// ✅ SECURE
element.textContent = userInput; // Text only, no script execution

XSS can lead to session hijacking, data theft, and malicious actions performed on behalf of users.

How to fix: Use textContent or proper sanitization libraries. Automated review can detect direct assignments to innerHTML from variable sources.

4. Dangerous Function Usage

Certain JavaScript functions are inherently dangerous when used incorrectly:

  • eval(): Executes arbitrary code from strings. Never use it.
  • document.write(): Can overwrite the entire document if called after page load. Vulnerable to XSS.
  • setTimeout/setInterval with string arguments: Similar to eval, can execute arbitrary code.
  • Function() constructor: Another form of eval-like behavior.
// ⚠️ DANGEROUS
eval("alert('" + userInput + "')");
setTimeout("updateStatus()", 1000);

// ✅ SECURE
alert(userInput);
setTimeout(updateStatus, 1000);

How to fix: Avoid these functions entirely. Use alternatives like arrow functions and proper DOM manipulation APIs. Automated review can flag any use of these dangerous functions.

5. Insecure API Calls

Insecure API communications can expose sensitive data to interception or tampering:

  • Making API calls over HTTP instead of HTTPS
  • Sending sensitive data in URL parameters (which get logged)
  • Not validating certificates properly
  • Caching sensitive responses
// ⚠️ INSECURE
fetch("http://api.example.com/user?token=" + token);

// ✅ SECURE
fetch("https://api.example.com/user", {
    method: "POST",
    body: JSON.stringify({ token }),
    headers: { "Content-Type": "application/json" }
});

How to fix: Always use HTTPS, send sensitive data in request bodies (not URLs), and implement proper certificate validation. Automated review can detect HTTP URLs in fetch calls and tokens in URL parameters.

Preventing These Issues

Security issues are notoriously difficult to catch during manual code review. They often:

  • Blend into legitimate code patterns
  • Are introduced accidentally while focusing on functionality
  • Are missed due to review fatigue or time pressure

Automated code review tools like CodeAudit can systematically check for these patterns across every pull request. By catching issues before they merge, you save hours of incident response and protect your users from potential attacks.

Get Started Today

Stop security vulnerabilities before they reach production. Install CodeAudit and catch common security issues automatically:

npm install -g codeaudit
codeaudit review https://github.com/user/repo/pull/42

Protect your codebase, your users, and your reputation with automated security review.

Secure Your Pull Requests

Catch security issues automatically with CodeAudit. Free tier includes 50 PRs/month.

Get Started Free