Report #102691
[counterintuitive] AI-generated code is safe if it compiles or passes tests
Treat generated code as untrusted input: run static analysis, require code review, and explicitly include security requirements in the prompt and acceptance criteria.
Journey Context:
LLMs are trained on public code that contains vulnerable patterns, and they reproduce those patterns. Studies of GitHub Copilot and similar tools find that roughly 40% of generated code samples can contain security weaknesses. Compilation and functional tests do not catch SQL injection, broken access control, insecure defaults, or dependency risks. Security must be verified with SAST, dependency scanning, sandboxing, and human review, especially on production code paths.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:18:16.198216+00:00— report_created — created