Risk flag reference

Senix uses a fixed taxonomy of 8 risk flags. This page documents each one with examples.

The model is instructed to use only these flag names and to omit a flag when nothing fits, rather than invent a new one. The same taxonomy applies to both GitHub PR reviews and MCP analyses.

`sql-injection`

What it catches

Raw user input concatenated or interpolated into a SQL query string instead of being passed as a bound parameter.

Example

// Triggers sql-injection
const email = req.query.email;
db.query("SELECT * FROM users WHERE email = '" + email + "'");

Severity

High by default

`auth-change`

What it catches

Addition, removal, or modification of an authentication or authorization check — sessions, tokens, role checks, or middleware guards.

Example

// Triggers auth-change — the admin check was removed
export function deleteUser(req, res) {
-  if (req.user.role !== 'admin') return res.status(403).end();
   db.users.delete(req.params.id);
}

Severity

High by default

`removed-validation`

What it catches

Input or schema validation that previously existed has been removed or weakened. Adding new validation does not count.

Example

// Triggers removed-validation
export function createOrder(payload) {
-  const data = OrderSchema.parse(payload);
-  return db.orders.insert(data);
+  return db.orders.insert(payload);
}

Severity

High by default

`hardcoded-secret`

What it catches

An API key, token, password, or private key written literally in source code instead of read from an environment variable or secret store.

Example

// Triggers hardcoded-secret
const stripe = new Stripe("live_REPLACE_WITH_YOUR_KEY");

Severity

High by default

`new-external-api`

What it catches

A new outbound HTTP call to a third-party service — a fetch, axios call, or SDK call to an external host.

Example

// Triggers new-external-api
await fetch("https://api.analytics.io/v1/track", {
  method: "POST",
  body: JSON.stringify({ event: "signup", userId }),
});

Severity

Medium by default

`dependency-added`

What it catches

A new third-party package import appears that was not previously imported anywhere in the touched files.

Example

// Triggers dependency-added
import { format } from "date-fns";

export const stamp = () => format(new Date(), "yyyy-MM-dd");

Severity

Medium by default

`payment-logic-change`

What it catches

A change to code that calculates money, prices, discounts, fees, refunds, taxes, or order totals.

Example

// Triggers payment-logic-change
function applyDiscount(total, code) {
-  return code === "SAVE10" ? total * 0.9 : total;
+  return code === "SAVE10" ? total * 0.5 : total;
}

Severity

High by default

`data-leak`

What it catches

A code path now exposes data to parties that should not see it — PII in a public endpoint, internal IDs in logs, or credentials echoed in errors.

Example

// Triggers data-leak — the password hash is returned to the client
app.get("/api/users/:id", async (req, res) => {
  const user = await db.users.find(req.params.id);
  res.json(user); // user includes password_hash
});

Severity

High by default