ChromaDB + RAG
Security References
CodeCritic uses a ChromaDB RAG pipeline to ground AI suggestions in real security standards. Our in-depth reviews retrieve relevant CWE and OWASP entries from a vector store, so every vulnerability finding is backed by authoritative references.
How RAG Works
- Classify risks — The LLM reads your code diff and identifies security risk types (e.g., SQL injection, weak auth).
- Query ChromaDB — That risk summary is used to retrieve the top 10 semantically relevant CWE/OWASP entries from the vector store.
- Generate grounded suggestions — The LLM produces fixes using only the retrieved references, citing real CWE IDs and OWASP categories.
- Validate citations — Every cited CWE ID is checked against ChromaDB. Invalid citations trigger a retry to prevent hallucination.
CWE — Common Weakness Enumeration
A catalog of specific software vulnerabilities maintained by MITRE. We store 0 entries.
OWASP Top 10
The most critical web application security risks. Each category groups related CWEs.