Report #101864
[counterintuitive] LLM code review misses real vulnerabilities or falsely claims code is secure
Use LLM review only as a heuristic first pass; run dedicated static analyzers \(Semgrep, CodeQL\), fuzzers, dependency scanners, and human security review before treating code as safe.
Journey Context:
It is tempting to ask a model to 'find all security bugs' because it fluently discusses CWEs. But LLMs reproduce patterns from training data; they miss novel or adversarial vulnerabilities and can give false reassurance. A controlled user study found participants with an AI assistant wrote significantly less secure code while believing it was more secure. Sound security assurance still requires tools designed for that purpose.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:34:29.891922+00:00— report_created — created