CodeSlick PR Testing Guide¶

Last Updated: November 14, 2025 Version: 20251114.10:30

This guide explains how to test CodeSlick's automated GitHub PR analysis on your team's pull requests.

Table of Contents¶

Prerequisites
How It Works
Testing Your First PR
Understanding Analysis Results
Where to View Analysis History
Interpreting Security Findings
Common Scenarios
Troubleshooting
Testing Checklist

Prerequisites¶

Before testing CodeSlick on your PRs, ensure:

✅ GitHub App Installed: CodeSlick GitHub App installed on your repository
✅ Team Created: Your team exists in CodeSlick with linked GitHub organization
✅ Repository Connected: Repository is accessible by CodeSlick (check installation settings)
✅ Webhook Active: GitHub webhook is configured (automatic during installation)
✅ Plan Active: Team has active plan (Free/Team/Enterprise) with available quota

To Verify Installation: 1. Go to GitHub Settings → Integrations → Applications 2. Find "CodeSlick" in installed GitHub Apps 3. Verify your repository is listed under "Repository access"

How It Works¶

What is a Pull Request (PR)?¶

A Pull Request is a proposal to merge code changes from one branch into another (usually from a feature branch into main). PRs are created on GitHub.com in your repository.

How to Open a Pull Request on GitHub¶

Step 1: Make code changes locally

# Create a new branch
git checkout -b feature/my-changes

# Make your code changes in your editor
# (edit files, add new code, etc.)

# Commit your changes
git add .
git commit -m "Add new feature"

# Push branch to GitHub
git push origin feature/my-changes

Step 2: Open PR on GitHub.com

Go to your repository on GitHub.com (e.g., https://github.com/your-org/your-repo)
You'll see a yellow banner saying "feature/my-changes had recent pushes"
Click the green "Compare & pull request" button

Alternative method (if no banner): - Click the "Pull requests" tab at the top - Click the green "New pull request" button - Select your branch from the dropdown

Fill in PR details:
Title: Brief description (e.g., "Add user authentication")
Description: Explain what you changed and why
Reviewers: (optional) Select team members to review
Click the green "Create pull request" button

That's it! Once you click "Create pull request", CodeSlick starts analyzing automatically.

Automatic Analysis Workflow¶

1. Developer opens Pull Request on GitHub.com
   (using steps above)
         ↓
2. GitHub sends webhook → CodeSlick receives event
         ↓
3. CodeSlick fetches PR files (.js, .ts, .py, .java)
         ↓
4. Runs 79+ security checks (static + dependency + API)
         ↓
5. Posts analysis comment on PR
         ↓
6. Updates check status (✓ passed / ⚠ issues found)
         ↓
7. Records analysis in team dashboard

Total Time: 10-15 seconds from PR creation to analysis comment

Supported Files¶

CodeSlick analyzes these file types: - JavaScript: .js, .jsx, .mjs - TypeScript: .ts, .tsx - Python: .py - Java: .java

Note: Other files (.md, .json, .css, etc.) are ignored.

Testing Your First PR¶

Step 1: Create a Test PR¶

Option A: Use Existing PR

# If you have an open PR, CodeSlick will analyze it automatically
# Check PR comments for analysis results

Option B: Create Demo PR with Vulnerable Code

# Create a new branch
git checkout -b test/codeslick-analysis

# Add a file with intentional vulnerabilities (for testing)
cat > test-security.js << 'EOF'
// Test file with security issues for CodeSlick analysis

const mysql = require('mysql');
const express = require('express');
const app = express();

// SQL Injection vulnerability
app.get('/user', (req, res) => {
  const query = "SELECT * FROM users WHERE id = " + req.query.id;
  connection.query(query, (err, results) => {
    res.json(results);
  });
});

// XSS vulnerability
app.get('/search', (req, res) => {
  const html = "<h1>Results for: " + req.query.term + "</h1>";
  res.send(html);
});

// Hardcoded credentials
const apiKey = "sk-1234567890abcdef";
const dbPassword = "MySecretPassword123";

// Command injection
const exec = require('child_process').exec;
app.get('/ping', (req, res) => {
  exec('ping ' + req.query.host, (err, stdout) => {
    res.send(stdout);
  });
});
EOF

# Commit and push
git add test-security.js
git commit -m "test: Add security test file for CodeSlick"
git push origin test/codeslick-analysis

# Open PR on GitHub
gh pr create --title "Test: CodeSlick Security Analysis" \
  --body "Testing CodeSlick automated analysis" \
  --base main --head test/codeslick-analysis

Step 2: Wait for Analysis¶

Timeline: - Webhook received: < 1 second - Analysis start: 2-5 seconds (background job) - Static analysis: 3-8 seconds (depends on file count) - Dependency scan: 2-4 seconds (if package.json/requirements.txt/pom.xml present) - PR comment posted: ~10-15 seconds total

What You'll See: 1. GitHub Check Status: "CodeSlick Analysis" check appears (⏳ pending → ✓ completed) 2. PR Comment: Detailed analysis comment with findings 3. Dashboard Update: Analysis recorded in team dashboard (visible at /teams/[id])

Step 3: Review Results¶

Check your PR for: - ✅ Comment from CodeSlick: Detailed analysis with severity breakdown - ✅ Check Status: Green ✓ (passed) or yellow ⚠ (issues found) - ✅ Dashboard Entry: New analysis appears in team dashboard "Recent Analyses" section

Understanding Analysis Results¶

PR Comment Format¶

CodeSlick posts a markdown-formatted comment with these sections:

## 🔒 CodeSlick Security Analysis

**Analysis Summary**
- **Files Analyzed**: 5
- **Total Issues**: 8
- **Critical**: 2
- **High**: 3
- **Medium**: 2
- **Low**: 1

---

### 🔴 Critical Issues (2)

#### SQL Injection in `src/routes/users.js:45`
**Severity**: CRITICAL (CVSS 9.8)
**Category**: OWASP A03:2021 - Injection
**CWE**: CWE-89 (SQL Injection)

**Vulnerable Code**:
```javascript
const query = "SELECT * FROM users WHERE id = " + req.query.id;

Why This is Dangerous: Attacker can inject malicious SQL code (e.g., 1 OR 1=1) to: - Extract all database records - Modify or delete data - Bypass authentication

Recommended Fix: Use parameterized queries with prepared statements:

const query = "SELECT * FROM users WHERE id = ?";
connection.query(query, [req.query.id], (err, results) => { ... });

🟠 High Issues (3)¶

[... additional findings ...]

Compliance Mapping¶

OWASP Top 10 2021: A03 (Injection), A07 (Identification Failures)
PCI-DSS: Requirement 6.5.1 (Injection Flaws)
CWE: CWE-89, CWE-79, CWE-78

Analyzed by CodeSlick | View Dashboard

### Severity Levels

| Level | CVSS Score | Icon | Description | Examples |
|-------|------------|------|-------------|----------|
| **CRITICAL** | 9.0-10.0 | 🔴 | Immediate exploit risk, data breach potential | SQL injection, Command injection, Deserialization |
| **HIGH** | 7.0-8.9 | 🟠 | Serious security risk, should fix ASAP | XSS, Path traversal, Weak crypto |
| **MEDIUM** | 4.0-6.9 | 🟡 | Moderate risk, plan to fix | Missing rate limiting, CORS misconfig |
| **LOW** | 0.1-3.9 | 🔵 | Low risk, informational | Code quality, deprecated functions |

---

## Where to View Analysis History

### Team Dashboard

Navigate to your team dashboard to see all PR analyses:

**URL**: `https://codeslick.com/teams/[your-team-id]`

**What You'll Find**:

1. **Recent Analyses Card**:
   - Last 10 PR analyses
   - Date, repository, PR number, files analyzed
   - Issue counts by severity
   - Click to view full analysis

2. **Security Trends Chart**:
   - Issues over time (day/week/month)
   - Breakdown by category (Injection, XSS, Auth, etc.)
   - Team's security improvement trajectory

3. **Top Repositories**:
   - Which repos have most issues
   - Average issues per PR
   - Last analyzed date

4. **Team Activity**:
   - PRs analyzed this month
   - Quota usage (if on Team/Enterprise plan)
   - Next quota reset date

### GitHub PR Timeline

All analyses are also visible in the PR timeline:
- Check runs (✓ or ⚠)
- Comments (detailed findings)
- Status badges

---

## Interpreting Security Findings

### How to Read a Finding

Each security issue includes:

1. **Title**: Vulnerability type + file location
   - Example: `SQL Injection in src/routes/users.js:45`

2. **Severity**: CVSS score + level
   - Example: `CRITICAL (CVSS 9.8)`

3. **Category**: OWASP Top 10 classification
   - Example: `OWASP A03:2021 - Injection`

4. **CWE Reference**: Common Weakness Enumeration ID
   - Example: `CWE-89 (SQL Injection)`

5. **Vulnerable Code**: Exact code snippet with line number
   ```javascript
   45: const query = "SELECT * FROM users WHERE id = " + req.query.id;
   ```

6. **Impact Explanation**: What attacker can do
   - "Attacker can extract all database records..."

7. **Fix Recommendation**: Specific code fix with example
   ```javascript
   // Use parameterized queries
   const query = "SELECT * FROM users WHERE id = ?";
   connection.query(query, [req.query.id], ...);
   ```

### Prioritizing Fixes

**Fix Order**:
1. 🔴 **CRITICAL** - Fix immediately (within 24 hours)
2. 🟠 **HIGH** - Fix in next sprint (within 1 week)
3. 🟡 **MEDIUM** - Plan for upcoming release (within 1 month)
4. 🔵 **LOW** - Backlog (address when convenient)

**Factors to Consider**:
- **Exploitability**: Can attacker easily trigger this?
- **Data Sensitivity**: Does this expose user data, credentials, PII?
- **Production Exposure**: Is this code already deployed?
- **Attack Surface**: Is this endpoint public or authenticated?

---

## Common Scenarios

### Scenario 1: Clean PR (No Issues)

**What Happens**:
- ✅ Check status: Green ✓ "All checks passed"
- ✅ Comment: "No security issues found. Great job!"
- ✅ Dashboard: Marked as "0 issues"

**PR Comment Example**:
```markdown
## ✅ CodeSlick Security Analysis - All Clear

**Analysis Summary**
- **Files Analyzed**: 3
- **Total Issues**: 0

No security vulnerabilities detected. Your code looks good!

**Files Checked**:
- `src/utils/helpers.js`
- `src/components/Button.tsx`
- `tests/unit/helpers.test.js`

---
**Analyzed by CodeSlick** | [View Dashboard](https://codeslick.com/teams/[id])

Scenario 2: PR with Minor Issues¶

What Happens: - ⚠ Check status: Yellow ⚠ "Issues found - review required" - 📝 Comment: Summary with 2-3 low/medium severity findings - 📊 Dashboard: Issues categorized and counted

Suggested Action: - Review findings - Fix before merging (optional for LOW severity) - Document accepted risks if won't fix

Scenario 3: PR with Critical Vulnerabilities¶

What Happens: - 🔴 Check status: Red ✗ "Critical issues found - do not merge" - 🚨 Comment: Prominent critical findings at top - 🔔 Dashboard: Flagged as high-priority

Required Actions: 1. Block merge - Do not approve PR until fixed 2. Fix immediately - Address critical issues ASAP 3. Re-analyze - Push fix, CodeSlick re-analyzes automatically 4. Verify fix - Confirm issue no longer appears

Scenario 4: False Positive¶

What Happens: - CodeSlick flags code as vulnerable, but you know it's safe (e.g., internal admin endpoint with additional security layers)

How to Handle: 1. Comment on PR: Explain why it's not a real issue

This SQL query is safe because:
- Only accessible to admin users (middleware check on line 12)
- Input is validated by Joi schema (line 34)
- Logs all queries for audit trail

Add Code Comment: Document security measures in code

// SQL injection safe: Input validated by adminSchema (line 34)
// and only accessible to authenticated admins
const query = "SELECT * FROM users WHERE id = " + validatedId;

Provide Feedback: Report false positives to CodeSlick support

Note: Err on the side of caution. Most "false positives" are actually real issues with incomplete security controls.

Scenario 5: Dependency Vulnerabilities¶

What Happens: - CodeSlick detects vulnerable npm/pip/Maven packages in package.json, requirements.txt, or pom.xml

PR Comment Example:

### 📦 Vulnerable Dependencies (3)

#### `lodash@4.17.20` (HIGH)
**Vulnerability**: Prototype Pollution
**CVE**: CVE-2021-23337
**Severity**: HIGH (CVSS 7.4)
**Fix**: Update to `lodash@4.17.21` or higher

How to Fix:

# npm (JavaScript/TypeScript)
npm update lodash

# pip (Python)
pip install --upgrade package-name

# Maven (Java)
# Update version in pom.xml to recommended version

Troubleshooting¶

Issue 1: No Analysis Comment Appears¶

Possible Causes: - ✗ GitHub App not installed on repository - ✗ Webhook not configured correctly - ✗ Repository not accessible to CodeSlick - ✗ No supported files in PR (.js, .ts, .py, .java) - ✗ Team quota exceeded (Free/Team plans)

Debug Steps: 1. Check GitHub App Installation: - Go to GitHub Settings → Applications → Installed GitHub Apps - Verify CodeSlick has access to your repository - If missing, reinstall GitHub App

Check Webhook Logs:
Go to GitHub Settings → Webhooks
Find CodeSlick webhook (https://codeslick.com/api/github/webhook)
Check "Recent Deliveries" for errors (red ✗)
Look for 200 status (success) or error codes (4xx/5xx)
Check Team Dashboard:
Navigate to /teams/[id]
Look for recent analyses
Check quota status (if usage is 100%, analysis is blocked)
Check PR Files:
CodeSlick only analyzes .js, .ts, .py, .java files
PRs with only .md, .json, .css files are skipped
Verify PR contains at least one supported file
Check Plan Status:
Free plan: 20 analyses/month (no team features)
Team plan: Unlimited analyses, 5 members
Verify plan is active (not expired/cancelled)

Issue 2: Analysis Takes Too Long¶

Expected Timeline: 10-15 seconds total Causes of Delay: - Large PRs (50+ files): 20-30 seconds - Complex dependency scans: +5-10 seconds - High server load: +5-10 seconds

Workarounds: - Split large PRs into smaller chunks - Remove unnecessary files (node_modules, build artifacts) - If analysis doesn't complete in 60 seconds, webhook times out (re-run check)

Issue 3: Check Status Stuck on "Pending"¶

Cause: Analysis job failed or timed out

Fix: 1. Go to PR checks section 2. Click "Re-run" on CodeSlick check 3. If issue persists, check team dashboard for error logs

Issue 4: Wrong Repository Analyzed¶

Cause: Multiple teams with same repository name (rare)

Fix: - Verify team settings point to correct GitHub organization - Check repository ID in webhook payload (GitHub Settings → Webhooks → Recent Deliveries)

Issue 5: Quota Exceeded Error¶

Error Message: "Team has exceeded monthly analysis quota"

Fix: - Free Plan: Wait until quota resets (monthly) - Team Plan: Quota resets automatically (unlimited analyses) - Upgrade: Consider upgrading to Team plan (€99/month)

Check Quota Status:

# Team dashboard shows:
# "15 / 20 analyses used this month"
# "Resets in 12 days"

Testing Checklist¶

Use this checklist to validate CodeSlick PR analysis:

Pre-Testing¶

GitHub App installed on target repository
Team created and linked to GitHub organization
Webhook active (GitHub Settings → Webhooks shows green ✓)
Plan active with available quota

Create Test PR¶

Branch created with test code
At least one .js, .ts, .py, or .java file included
Intentional vulnerabilities added (SQL injection, XSS, etc.)
PR opened on GitHub

Verify Analysis¶

Webhook received (GitHub Webhooks → Recent Deliveries shows 200)
Check status appears (✓ or ⚠)
PR comment posted within 15 seconds
Comment includes severity breakdown
Comment shows vulnerable code snippets
Comment provides fix recommendations

Verify Results¶

Findings match expected vulnerabilities
Severity levels are accurate (CRITICAL, HIGH, etc.)
OWASP categories are mapped correctly
CWE references are included
Fix suggestions are actionable

Verify Dashboard¶

Analysis appears in team dashboard "Recent Analyses"
File count matches PR
Issue counts match comment
Click through to PR works (link to GitHub)

Test Fix Flow¶

Push fix to PR branch
CodeSlick re-analyzes automatically (new webhook)
New comment or updated check status
Issue count decreases (if fix resolves issues)
Dashboard shows updated analysis

Edge Cases¶

Test PR with no supported files (.md only) - should skip analysis
Test PR with 50+ files - should complete within 30 seconds
Test PR with no issues - should show "All clear" comment
Test PR with mixed severities - should prioritize correctly

Cleanup¶

Close test PR
Delete test branch
Document any issues found during testing

Support and Feedback¶

Questions? - Email: support@codeslick.com - Documentation: https://codeslick.com/docs - GitHub Issues: https://github.com/codeslick/codeslick/issues

Found a Bug? - Report via GitHub Issues or support email - Include PR URL, team ID, and error message

Feature Requests? - We'd love to hear your ideas! - Email feature requests to product@codeslick.com

Next Steps¶

After successfully testing your first PR:

Roll Out to Team: Enable CodeSlick on all repositories
Set Up Notifications: Configure GitHub notifications for CodeSlick comments
Establish Workflow: Define team process for handling findings (e.g., "Fix CRITICAL before merge")
Track Metrics: Monitor team dashboard for security trends
Upgrade Plan: Consider Team/Enterprise plan for unlimited analyses and more features

Happy Secure Coding! 🔒