What Noah Checks
Noah’s code security analysis covers multiple areas of your application:Application Code
Noah scans your frontend and backend code for common vulnerability patterns:- Cross-Site Scripting (XSS) — Unsafe rendering of user input
- Injection attacks — SQL injection, command injection, and other injection vectors
- Authentication flaws — Insecure login flows, missing session validation
- Insecure API calls — Exposed endpoints, missing rate limiting
- Hardcoded secrets — API keys or credentials embedded in source code
- Unsafe data handling — Missing input validation, improper sanitization
Dependencies
Third-party libraries can introduce security risks. Noah can review your project’snpm dependencies for known vulnerabilities:
- Known CVEs — Publicly disclosed vulnerabilities in packages you use
- Outdated packages — Dependencies with available security patches
- Severity levels — Critical, high, medium, and low risk classification
Database Security (Supabase)
If your project uses Supabase, Noah can review your database security:- Row-Level Security (RLS) — Whether RLS is enabled and properly configured on your tables
- Overly permissive policies — Policies that expose more data than intended
- Missing access controls — Tables without any RLS policies
How to Run a Security Review
Ask Noah to review your code at any time by prompting in chat: Full application review:“Review my app’s security”
“Check my code for security vulnerabilities”Focused reviews:
“Review the authentication flow in my app”
“Check if my API routes are secure”
“Are my RLS policies configured correctly?”
“Check my npm dependencies for vulnerabilities”Noah will analyze the relevant code and respond with findings, explanations, and specific fixes.
Understanding Findings
Noah categorizes security findings by severity:| Severity | Description | Action |
|---|---|---|
| Critical | Exploitable vulnerabilities that could lead to data loss, fund theft, or unauthorized access | Fix immediately |
| High | Serious issues that should be addressed before deployment | Fix before going live |
| Medium | Issues that could become risks under certain conditions | Review and fix when possible |
| Low | Minor issues or best-practice improvements | Consider implementing |
Fixing Security Issues
When Noah identifies security issues, you can:- Let Noah fix it — Ask Noah to apply the recommended fix directly
- Review and fix manually — Use the findings as guidance to make changes yourself
- Ask for clarification — Ask Noah to explain why something is a risk and what the impact could be
“Fix the XSS vulnerability you found in the profile page”
“Add RLS policies to the orders table so users can only see their own orders”
“Update the vulnerable packages in my project”
Prompt Cookbook
| Scenario | Prompt |
|---|---|
| Pre-deployment check | Review my app's security before I publish it |
| After adding auth | Check if my authentication implementation is secure |
| Database review | Review my Supabase tables for missing RLS policies |
| Dependency check | Are any of my npm packages vulnerable? |
| Specific component | Check the payment form component for security issues |
| Smart contract + app | Review both my smart contract and frontend for security vulnerabilities |
Best Practices
Review regularly, not just once
Review regularly, not just once
Security is an ongoing process. Run reviews after major changes, new feature additions, or dependency updates.
Focus on critical issues first
Focus on critical issues first
Address critical and high-severity findings before lower-priority ones. These represent the most exploitable vulnerabilities.
Combine automated and manual reviews
Combine automated and manual reviews
Use Noah’s analysis as a starting point, but manually review sensitive areas like authentication, payment flows, and admin functionality.
Test fixes thoroughly
Test fixes thoroughly
After applying security fixes, test your app to make sure the fix works and doesn’t break existing functionality.
Keep dependencies minimal
Keep dependencies minimal
Only include packages you actually use. Fewer dependencies means fewer potential vulnerabilities.
FAQ
Does a code security review consume credits?
Does a code security review consume credits?
Yes, conversational security reviews in chat consume credits like regular messages.
Can Noah fix all security issues automatically?
Can Noah fix all security issues automatically?
Noah can fix many common security issues automatically. Complex or architectural security problems may require manual intervention with Noah’s guidance.
How is this different from the smart contract audit?
How is this different from the smart contract audit?
The smart contract audit generates a downloadable PDF report specifically for on-chain programs. Code security reviews analyze your full application — frontend, backend, dependencies, and database configuration.