Report #102293
[counterintuitive] AI code review catches security vulnerabilities as well as or better than human review
Pair code-only AI review with runtime or exploratory testing, especially for authorization, payment, and workflow code; treat code-only AI as a hypothesis engine that cannot prove exploitability.
Journey Context:
ProjectDiscovery compared code-only LLM review against runtime testing on three AI-generated apps and confirmed 74 exploitable vulnerabilities. The serious bugs were authorization, workflow, and business-logic flaws—deactivated users retaining access, arbitrary refunds, role escalation—not classic injection patterns. Snyk and Invicti surfaced none of the High or Critical issues, while the runtime-assisted tool found 24 verified vulnerabilities that code-only review missed. The lesson is that code review, AI or human, cannot see stateful, cross-role, sequencing-dependent failures without exercising the running application.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T05:18:02.098799+00:00— report_created — created