AI Coding Assistants and Security Vulnerabilities: What GitHub Copilot, Claude, and Gemini Introduce

Stanford research found Copilot-generated code was vulnerable roughly 40% of the time for security-sensitive tasks

40%
Approximate vulnerability rate in security-sensitive Copilot code (Stanford research)
10,000+
Glasswing findings in production code, including AI-assisted codebases
2,100+
Patches generated by Claude Security public beta

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

AI coding assistants have become standard tooling in software development. GitHub Copilot alone reported over 1.8 million paid subscribers by late 2024, and the category has expanded to include Claude (via API and Claude Code), Google Gemini Code Assist, Amazon CodeWhisperer, Tabnine, and others. These tools generate suggestions that span from single-line completions to entire function implementations, and many organizations have integrated them into their standard development workflows. The productivity claims are real: GitHub's own research suggested Copilot users completed tasks 55% faster. What is less widely discussed is the security implication of that acceleration. AI coding tools generate code at machine speed from training data that includes millions of lines of vulnerable open source code. The result, documented in the Stanford Pearce et al. study and confirmed by subsequent research, is a measurable rate of vulnerability introduction in security-sensitive code. This is not an argument against using AI coding tools. It is an argument for using them with the same discipline that any powerful tool requires: knowing their failure modes, building review processes that catch those failures, and reserving human judgment for the categories of code where AI consistently underperforms. Project Glasswing provides an additional data point: Claude Mythos found 10,000+ findings in production codebases that include AI-assisted code, and the Claude Security public beta has generated 2,100+ patches for vulnerabilities in real applications. AI is both introducing and finding the same class of bugs.

AI Coding Tool Adoption at Scale

The scale of AI coding tool adoption means that the security implications are no longer theoretical. GitHub Copilot, the market leader, reported over 1.8 million paid subscribers in its 2024 annual report, with enterprise adoption accelerating. JetBrains' Developer Ecosystem Survey found that approximately 70% of professional developers used some form of AI coding assistance by mid-2025. When developers collectively complete tasks 55% faster using AI tools, the volume of code being produced increases proportionally. More code means more potential vulnerability surface. The challenge for application security teams is that this increased code volume is not matched by a proportional increase in security review capacity. Most organizations have not scaled their security review headcount or tooling to match the code output enabled by AI coding tools. The gap between code production rate and security review capacity is where vulnerabilities accumulate. The categories of code most at risk are precisely those that require the most security expertise to review correctly: input validation logic, database query construction, file system interactions, authentication and session management, and cryptographic operations. These are also the categories where AI tools most frequently produce subtly incorrect output.

The Research on Vulnerability Rates: Stanford and Pearce et al.

The foundational academic research on AI coding assistant security vulnerabilities is the study 'Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions' by Pearce et al., published as an arXiv preprint in 2021 and subsequently refined. The study evaluated Copilot's code completions across 89 different security-relevant programming scenarios spanning 18 different CWE vulnerability classes. The finding: approximately 40% of Copilot's completions for security-relevant tasks contained vulnerabilities. The study controlled for task type, finding that general-purpose code had lower vulnerability rates while code that handled authentication, input validation, and file system operations had significantly higher rates. Subsequent research has broadly replicated the finding that AI coding tools introduce vulnerabilities at higher rates in security-sensitive contexts than in general-purpose contexts. A 2023 study by Sandoval et al. examined whether developers using AI coding tools were more likely to write vulnerable code and found that AI-assisted developers were not meaningfully more secure than those writing code manually, suggesting the tools do not provide net security benefit even as they provide productivity benefit. The practical implication for security teams is not that AI coding tools should be banned but that they require a compensating security review process calibrated to the vulnerability classes these tools introduce most frequently.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Which Vulnerability Classes AI Tools Introduce Most Often

The Pearce et al. study and subsequent research consistently identify the same vulnerability categories in AI-generated code. Understanding which classes appear most frequently allows security teams to focus their review effort where it matters most. SQL Injection: AI tools frequently construct database queries by string concatenation rather than parameterized queries or prepared statements. This is because the training data contains enormous quantities of legacy code that uses string construction. The resulting code looks functionally correct but is trivially injectable. Cross-Site Scripting (XSS): AI-generated UI code frequently renders user-controlled data into HTML without proper escaping, particularly when generating template code or React JSX. Path Traversal: File system operations generated by AI tools frequently fail to sanitize user-provided file paths, enabling attackers to read or write arbitrary files. Hardcoded Credentials and Secrets: AI tools sometimes suggest example code that includes placeholder credentials that developers inadvertently deploy, or generate code that embeds API keys from training data. Improper Input Validation: AI-generated validation logic frequently misses edge cases, off-by-one conditions, or character encoding variations that allow bypass. Insecure Deserialization: Code that deserializes user-controlled data is frequently generated without the object type restrictions that prevent deserialization exploits. Missing Access Control Checks: AI tools that generate CRUD operations frequently omit authorization checks, implementing the data operation correctly but failing to verify that the requesting user has permission to perform it.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why AI Tools Struggle with Security Context

Understanding why AI coding tools introduce security vulnerabilities helps in designing effective mitigations. Three structural limitations drive most of the observed failure modes. Training data reflects historical vulnerability rates: AI coding tools are trained on publicly available code from GitHub, Stack Overflow, and other sources. That code includes decades of vulnerable patterns: the pre-parameterized-query era of database code, the pre-Content-Security-Policy era of web code, and countless examples of code written before modern security practices were standard. The model learns to produce code that looks like the training data, including its security characteristics. Context window limitations create security blindness: AI coding tools operate on a local context window of the code immediately surrounding the completion point. They do not have access to the full application's security architecture, the threat model for the feature being built, or the security requirements for the specific function. A completion that is correct in isolation may be incorrect in context: a SQL query builder that is safe when called with trusted data is dangerous when the calling code passes attacker-controlled input. Lack of security-specific reasoning: Current AI coding tools do not model attacker behavior, threat models, or the distinction between trusted and untrusted data. When generating code that handles input, the model does not ask 'who controls this data and what could they do with it?' It asks 'what code pattern fits this context?' Those are fundamentally different questions with different answers.

The model learns to produce code that looks like the training data, including its security characteristics. Decades of vulnerable patterns are in the corpus.

Structural limitation of AI coding tools trained on historical codebases

Secure Prompting Practices for Developers

The quality of AI-generated code can be improved by prompting with explicit security context. This is not a complete solution, but it reduces the frequency of the most common vulnerability classes. Several prompting practices make a measurable difference. Specify security constraints explicitly in the prompt: instead of 'write a function to query the user table by email,' prompt with 'write a parameterized query function to look up a user by email, using prepared statements to prevent SQL injection, with appropriate input validation for email format.' The additional context shifts the model toward secure patterns. Request explicit threat modeling as part of the completion: 'write a file download endpoint that handles user-provided filenames. Consider path traversal risks and validate that the resolved path is within the allowed directory before reading the file.' Ask the model to enumerate its security assumptions: 'what security assumptions does this code make about the input it receives?' This often reveals cases where the model has assumed trusted input for a function that will receive attacker-controlled data. Use role priming for security-sensitive tasks: 'you are a security engineer reviewing this function for OWASP Top Ten vulnerabilities. Generate the implementation and immediately critique it for the security issues you would flag in a code review.' These techniques reduce vulnerability rates but do not eliminate them. Secure prompting is a supplement to, not a replacement for, SAST tooling and security code review.

Mandatory Review Gates for Security-Sensitive Code

Secure prompting reduces risk; process gates manage residual risk. A mandatory review gate is a defined checkpoint that AI-generated code must pass before it can be merged into a main branch. Effective review gates are implemented as enforced policies, not suggestions. Three gates are most effective. Gate 1, Automated SAST Scan: Every pull request containing AI-generated code (identified by commit metadata or developer tagging) runs a SAST scan before CI passes. Failed SAST checks block the merge. This is fully automatable and catches the deterministic vulnerability classes: SQL injection, path traversal, XSS, hardcoded secrets. Gate 2, Security-Aware Peer Review: Security-sensitive functions (those that handle authentication, authorization, file system operations, database queries, or external input) require review sign-off from a developer who has completed application security training, not just any peer reviewer. This is an organizational policy enforced through GitHub branch protection rules or equivalent. Gate 3, Security Engineer Review for High-Risk Areas: Code in authentication, cryptographic, and payment processing modules requires security engineer review regardless of whether it was AI-generated. AI-generated code in these areas receives no special exception from the standard high-risk review requirement; it simply triggers the same review process that applies to all code in those modules.

SAST Integration in AI-Assisted Development Workflows

Static Application Security Testing (SAST) tools are the most effective automated mitigation for the vulnerability classes AI coding tools introduce most frequently. The three tools with the strongest coverage of AI-introduced vulnerability classes are Semgrep, CodeQL, and Snyk Code. Semgrep is a fast, rules-based SAST tool with a large library of community-maintained rules covering OWASP Top Ten vulnerability classes in most major languages. It can be run locally as a pre-commit hook and in CI as a PR check. Semgrep's speed makes it practical as a blocking check without significantly slowing development. CodeQL is GitHub's semantic analysis engine that understands data flows through a program, not just pattern matching. It is particularly effective at finding taint-flow vulnerabilities: SQL injection and XSS where user-controlled data flows from an input point to a vulnerable function through multiple intermediate steps. CodeQL analysis is slower than Semgrep but catches vulnerability chains that pattern matching misses. Snyk Code combines pattern analysis with data-flow analysis and integrates directly into the IDE, providing inline feedback as the developer writes code rather than only at PR time. IDE integration changes the feedback loop: a developer sees the security issue immediately after the AI suggestion rather than discovering it during code review. Effective SAST integration in an AI-assisted workflow runs Semgrep as a pre-commit hook (fast, catches clear-cut patterns), CodeQL in CI (thorough, catches data flow issues), and Snyk Code in the IDE (immediate feedback during writing).

Areas to Avoid AI Code Generation: Crypto, Auth, and Access Control

The risk of AI-generated code is not uniform. For some categories of code, the risk is high enough and the cost of failure severe enough that AI code generation should be avoided in favor of established, audited libraries. Cryptographic operations are the clearest case. Correct cryptography requires precise implementation of algorithms with well-understood properties, correct key derivation, secure random number generation, and timing-safe comparison. AI tools frequently generate cryptographic code that uses deprecated algorithms, incorrect key lengths, predictable random seeds, or constant-time comparison implementations that are not actually constant-time. Use established libraries: libsodium, Bouncy Castle, the Web Crypto API. Do not generate cryptographic primitives with AI. Authentication logic is similarly high-risk. AI tools generate authentication code that omits rate limiting, uses incorrect session invalidation logic, or mishandles timing-safe comparison for credentials. Use Passport.js, Spring Security, Devise, or your framework's native authentication system. Authorization and access control logic is a third area where AI underperforms. AI tools generate the operation (query the database, update the record) but frequently omit or incorrectly implement the authorization check that should precede it. In RBAC systems, AI tools generate permission checks that are syntactically correct but logically flawed, verifying that the user has a role rather than that the role has the specific permission required for the specific operation. Manual review by a security engineer is required for all authorization logic.

Use AI to move faster on the 80% of code where mistakes are recoverable. Reserve human judgment for the 20% where mistakes create security incidents.

Principle for AI-assisted secure development

The Irony: AI Finding What AI Introduced

There is a notable symmetry in the current state of AI and application security. The same generation of AI systems that introduces vulnerabilities through coding assistants is also finding those vulnerabilities through security scanning tools. Claude Mythos, the AI system powering Project Glasswing, has generated 10,000+ findings in production codebases. The Claude Security public beta generated over 2,100 patches for real application vulnerabilities. Some of those findings are in code that was itself generated by AI coding assistants. This creates a feedback loop with practical implications for application security teams: AI-generated code, deployed to production, may be found and exploited by AI-powered attackers before the organization's own AI security scanning has identified it. The time from vulnerability introduction to exploit development is compressing. A vulnerability introduced by Copilot in January and deployed to production in February may be identified and exploited by an AI-powered attacker in March, before the organization's quarterly SAST scan has run. The implication is not to stop using AI coding tools. It is to implement continuous security scanning, not periodic, with gates that catch AI-introduced vulnerabilities before they reach production rather than after.

AI Coding Security Review Checklist and SAST Configuration Guide

The complete AI coding security review checklist, SAST tool configuration guides for Semgrep, CodeQL, and Snyk Code, and branch protection policy templates for enforcing review gates are available in the Mythos Brief. The Brief also includes a function-level security classification guide that helps developers identify which functions require security engineer review versus peer review, and a secure prompting reference card for the most common security-sensitive task types.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

AI coding assistants provide real productivity benefits, and they introduce real security vulnerabilities at measurable rates. The Stanford research finding of approximately 40% vulnerability rate in security-sensitive Copilot code is not a reason to stop using AI coding tools. It is a reason to implement the review processes that human-written code also requires, calibrated to the specific vulnerability classes AI tools introduce most consistently. SAST gates catch the deterministic patterns. Security-aware peer review catches the contextual failures. Human expert review for authentication, cryptographic, and access control code catches the subtle logic errors that automated tools miss. The AI coding security review checklist, SAST configuration guides, and branch protection templates are in the Mythos Brief, available free at decryptiondigest.com/mythos-brief.

Frequently asked questions

Does GitHub Copilot introduce security vulnerabilities?

Yes, research confirms that GitHub Copilot introduces security vulnerabilities at a measurable rate, particularly for security-sensitive coding tasks. The Stanford study by Pearce et al. found that approximately 40% of Copilot completions for security-relevant functions contained vulnerabilities. The most commonly introduced vulnerability classes include SQL injection, path traversal, XSS, and hardcoded secrets. This does not mean Copilot is net-negative for security: it can also suggest correct security patterns and reduce developer fatigue. The risk is that developers treat Copilot suggestions as vetted code rather than as a starting point requiring security review.

Which AI coding tool is most secure?

No independent systematic comparison of vulnerability introduction rates across all major AI coding tools (Copilot, Claude, Gemini Code Assist, CodeWhisperer) has been published as of mid-2026. The Stanford Pearce et al. research focused on Copilot specifically. All current AI coding tools are trained on large corpora of code from public repositories, which contain vulnerable code patterns, and all share the same fundamental limitation: they do not have deep semantic understanding of the security context in which a function will be deployed. The practical answer is that the safety of any AI coding tool is determined more by the review processes around it than by the tool itself.

What percentage of AI-generated code is vulnerable?

The answer depends heavily on the task type. For general-purpose code generation (sorting algorithms, data transformations, UI components), AI tools perform comparably to human developers. For security-sensitive tasks, the vulnerability rate is significantly higher. The Pearce et al. study found approximately 40% vulnerability rate for Copilot on security-relevant tasks. Subsequent research has found similar rates for other models in security-sensitive contexts. The key variable is whether the generated code handles attacker-controlled input, manages authentication or authorization state, performs cryptographic operations, or processes file system paths.

Should I use AI to write authentication code?

No. Authentication and authorization code is among the highest-risk areas for AI code generation. AI tools tend to implement authentication logic that looks correct but contains subtle flaws: off-by-one errors in token expiry checks, missing rate limiting on login endpoints, incorrect comparison semantics for timing-safe credential comparison, and improper session invalidation on logout. These are exactly the classes of errors that require deep security expertise to catch and that automated testing rarely surfaces. Use established, audited authentication libraries (Passport.js, Spring Security, Devise) rather than AI-generated authentication code.

How do I review AI-generated code for security issues?

A practical AI-generated code review process has four components. First, run SAST (Static Application Security Testing) tools like Semgrep, CodeQL, or Snyk Code against all AI-generated code before merge. Second, manually review any function that handles untrusted input, performs file system operations, constructs database queries, or manages authentication state. Third, use a structured checklist aligned to the OWASP Top Ten and CWE Top 25 when reviewing security-sensitive functions. Fourth, require security engineer sign-off (not just developer peer review) for any AI-generated code in authentication, authorization, cryptographic, or data validation layers.

What SAST rules most reliably catch the vulnerability classes AI coding tools introduce?

The most effective Semgrep rule sets for AI-introduced vulnerabilities are the OWASP Top Ten ruleset for Python and JavaScript, the r2c audit rules for SQL injection taint flows, and the secrets ruleset that catches hardcoded credential patterns AI tools inherit from training data. For CodeQL, the javascript/sql-injection and python/sql-injection query packs catch parameterized query failures, and the javascript/reflected-xss pack covers unescaped rendering in JSX templates. Snyk Code's interfile data flow analysis is especially effective at catching access control omissions in AI-generated CRUD endpoints where the data operation is present but the permission check is missing. A layered configuration running Semgrep as a fast pre-commit gate and CodeQL as a thorough CI scan catches the majority of the deterministic patterns without requiring manual review of every AI suggestion.

Sources & references

  1. Pearce et al. — Asleep at the Keyboard? Copilot Vulnerability Study
  2. Anthropic Project Glasswing 90-Day Report
  3. GitHub Copilot Security Documentation
  4. OWASP Top Ten 2021
  5. NIST Secure Software Development Framework (SSDF)
  6. SANS CWE Top 25 Most Dangerous Software Weaknesses

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.