Devin Review Now Runs a Security Analysis on Every Pull Request

Cognition published a new feature for Devin Review on June 18: every pull request analyzed by Devin Review now also gets a security pass. The security analysis runs alongside the existing code review rather than as a separate step, and when it finds a vulnerability, it writes a fix and opens it as a merge-ready pull request.

What It Finds

Devin Review’s security analysis targets three categories of vulnerabilities that static analysis tools typically miss:

Authorization flaws: The kind that look fine in isolation but break when you look at the surrounding code. The example Cognition gives is a password-change endpoint that creates a guest session when a token is missing, rather than rejecting the request. Pattern-matching scanners don’t catch this because the vulnerability depends on understanding the auth flow, not recognizing a specific code pattern.

Business logic bugs: Pricing and discount logic where the flaw is in the business rules rather than the code mechanics. Refunds that can exceed the original payment amount, discount codes that can be applied more than once. These require understanding what the code is supposed to do, not just what it does.

Chained findings: Multiple low-severity issues that combine into a critical path. A scanner looking at each finding individually might mark them as low priority; a reviewer that understands how they interact might flag the chain as a high-severity attack path.

How It’s Different From Static Analysis

Cognition’s claim is that the tool “reads your codebase and reasons across the full repository, understanding your auth model, business logic, and service interactions to catch what pattern-matching misses by design.” The distinction from tools like Semgrep or CodeQL is that those tools match known vulnerability patterns; Devin reads the code to understand it.

The security analysis uses CWE (Common Weakness Enumeration) IDs to classify findings, which is standard in security tooling and makes it easier to cross-reference with existing vulnerability databases and compliance requirements.

The Fix PR

The detail that makes this different from a security linting report is that Devin doesn’t just flag the issue; it writes the fix. When a security finding comes up, Devin opens a merge-ready pull request with the remediation. Accepting that PR is optional, but having a proposed fix in front of you rather than a report to act on changes the friction of actually addressing findings.

The integration lives in GitHub as inline PR comments on the diff, following the same interface as Devin Review’s regular code review comments.

Availability

Security in Devin Review is live now at app.devin.ai/review. Cognition hasn’t announced a separate pricing tier for the security feature; it appears to be included with Devin Review access.

For teams already using Devin Review for code review, the security pass runs on every PR without additional configuration.

Source: Cognition blog – Introducing Security in Devin Review