All posts

AI code security

What security vulnerabilities does AI-generated code have?

AI coding tools don't produce random bugs — they produce the same handful of vulnerability classes, repeatedly, across completely unrelated codebases.

Last updated

General-purpose security scanners are built to catch a broad spectrum of bugs. AI-generated code has a narrower, more predictable failure surface — because the models making the mistakes are the same models, making the same tradeoffs, every time they’re asked to move fast.

Hardcoded credentials

AI tools frequently embed real-looking credentials directly in generated files — especially database migrations, seed scripts, and config files — instead of reading them from environment variables. password='password123' in a migration file is a common real-world finding, not a hypothetical.

Wondering if your code has any of this? Scan a public repo free, no account needed.

Scan a repo →

Injection from string concatenation

Parameterized queries take more tokens to write than string concatenation, and models optimizing for a fast, working response will reach for "WHERE user='" + username + "'" even in a codebase that uses parameterized queries everywhere else.

Missing access control on generated routes

AI tools are excellent at scaffolding working CRUD endpoints and frequently forget the authentication check entirely — or check that a user is logged in without checking that they own the resource they’re requesting (BOLA).

Fallback secrets

process.env.JWT_SECRET || 'dev-secret' works perfectly in local development and becomes a public, predictable production secret the moment someone deploys without setting the environment variable.

Timing-unsafe comparisons

AI tools often generate signature === computed instead of a constant-time comparison for webhook verification — a subtle authentication bypass vector that’s easy to miss in code review because it looks correct.

Why this matters more than it sounds like it should

Each of these issues individually looks minor in a diff. The risk is volume: a codebase with dozens of AI-generated files accumulates dozens of these small, repeatable mistakes, and most teams aren’t reviewing AI output any more carefully than human output — often less.

Prbl scans the AI-generated parts of your codebase for exactly the kinds of issues above.

Find what AI missed — free
What Security Vulnerabilities Does AI-Generated Code Have? — Prbl