Security Reviewer comments inline on PRs for vulnerabilities, auth regressions, privacy issues, prompt injection, and risky tool auto-approvals. Vulnerability Scanner runs scheduled scans for known CVEs, outdated dependencies, and config problems, with Slack delivery available. Admins can customize triggers, instructions, tooling, and outputs.
This pushes security left without forcing every reviewer to become a security specialist. It should reduce blind spots in fast-moving teams and make recurring checks much easier to keep up with. The main cost is that it draws from Cursor’s usage pool, so teams will want to scope it intentionally.
Admins can enable Security Review from the Cursor dashboard. From there, set the triggers, tune the instructions, and connect Slack if you want findings routed automatically. If your stack already has SAST/SCA/secrets tooling, you can plug it in through MCP servers.
Read Original Post →