Security bugs are sneaky. They rarely look alarming in a diff -- a missing authorization check here, a user-controlled string crossing a trust boundary there. By the time a human reviewer notices, the code is already merged. Factory's Droid is now trying to close that gap with Automated Security Review: a dedicated security pass that runs on every non-draft pull request, automatically, alongside the standard code review.

The feature is live today and available on all plans. No configuration required to get started -- it activates the moment a PR is opened.

Not just another linter

The core of this system is a structured threat-modeling framework called STRIDE -- short for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Rather than pattern-matching for known bad strings the way a traditional static analyzer would, Droid runs a security-focused review using STRIDE methodology along with OWASP Top 10 and OWASP LLM Top 10 checks -- the latter covering AI-specific attack surfaces like prompt injection and insecure model output handling.

What makes this more than a fancy grep is the two-pass validation pipeline. It enables a two-pass security workflow that traces untrusted input across trust boundaries, validates exploitability, and reports only findings with a realistic path to impact. Candidate vulnerabilities are re-checked for reachability and existing controls before anything gets posted, which is how the system avoids drowning engineers in false positives.

When something is caught, each finding includes a severity level, CWE reference (where applicable), an explanation, and a suggested fix posted as inline review comments. Severity is tagged P0 through P3: