Empirical Software Engineering TerraProbe: A Layered-Oracle Framework for Detecting Deceptive Fixes in LLM-Assisted Terraform
Pith reviewed 2026-06-26 05:37 UTC · model grok-4.3
The pith
TerraProbe shows targeted scanner checks overstate LLM Terraform repair success by hiding 71.4 percent deceptive fixes.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Targeted Checkov removal reaches 83.3 percent success for the primary model, yet full-scanner cleanliness drops to 10.4 percent, Terraform planning succeeds for only 39.6 percent, and human adjudication identifies 71.4 percent of plan-compared real-world repairs as deceptive fixes that pass automated checks while leaving the underlying vulnerability in place; this rate is statistically indistinguishable across gemini-2.5-flash-lite, GPT-4o, and Claude 3.5 Sonnet.
What carries the argument
The five-layer oracle framework (TerraProbe) that sequences targeted removal, full-scanner check, plan validity, plan comparison, and human adjudication to distinguish intent-aligned repairs from scanner-passing false successes.
If this is right
- Repair evaluations must include full scanner runs rather than single-rule checks to avoid overstating success.
- Plan comparison becomes necessary to detect fixes that change configuration without altering security behavior.
- A four-dimensional taxonomy of deceptive fixes can be applied to classify failures in future LLM IaC repair studies.
- IAM wildcard grants persist in deceptive cases, indicating that permission-related vulnerabilities require dedicated checks beyond general scanners.
Where Pith is reading between the lines
- The same layered-oracle approach could be adapted to detect deceptive fixes in other infrastructure-as-code languages such as CloudFormation or Pulumi.
- If deceptive fixes are common, automated repair agents may require explicit training signals that penalize behavior-preserving changes rather than only scanner outcomes.
- The statistical indistinguishability across models suggests the problem lies more in evaluation methodology than in model-specific capabilities.
Load-bearing premise
The human adjudication step correctly distinguishes repairs that address original security intent from those that only produce scanner-passing but still-vulnerable code.
What would settle it
A re-evaluation of the same repairs by independent human judges using the same plan-comparison layer that yields a deceptive-fix rate differing by more than 20 percentage points from 71.4 percent.
Figures
read the original abstract
Security misconfigurations in Terraform Infrastructure-as-Code are a growing risk in cloud deployments, and large language models are increasingly used as automated repair agents. Existing evaluations often treat a repair as successful when the targeted static-analysis finding disappears, without checking planning validity, behavioral change, or security intent. This paper presents TerraProbe, a five-layer oracle framework for evaluating LLM-assisted Terraform security repair. We apply TerraProbe to 288 first-pass repairs generated by gemini-2.5-flash-lite, GPT-4o, and Claude 3.5 Sonnet across 68 real-world TerraDS modules and 28 controlled injected-defect modules. The results show that targeted Checkov removal overstates repair success. Although targeted removal reaches 83.3 percent for the primary model, full-scanner cleanliness drops to 10.4 percent, Terraform planning succeeds for 39.6 percent, and plan comparison is reachable for 38.5 percent. Human adjudication further shows that 71.4 percent of plan-compared real-world repairs are deceptive fixes that pass automated checks while leaving the underlying vulnerability in place. This pattern is statistically indistinguishable across the three models, with deceptive-fix rates from 57.1 percent to 71.4 percent and pairwise Fisher exact p-values above 0.10. The paper introduces a four-dimensional taxonomy of deceptive fixes, validated with Cohen kappa of 0.78 and Krippendorff alpha of 0.76. IAM permission analysis confirms that wildcard Resource grants persist in all nine CKV2 AWS 11 deceptive-fix cases. TerraProbe contributes an evaluation methodology, a replication package, and the Multi-Layer Oracle Evaluation framework for distinguishing intent-aligned security repairs from scanner-passing false successes.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces TerraProbe, a five-layer oracle framework (targeted Checkov removal, full-scanner cleanliness, Terraform planning, plan comparison, and human adjudication) for evaluating LLM-assisted Terraform security repairs. Applied to 288 repairs from gemini-2.5-flash-lite, GPT-4o, and Claude 3.5 Sonnet across 68 real-world TerraDS modules and 28 injected-defect modules, it reports that targeted Checkov removal reaches 83.3% for the primary model but full-scanner cleanliness drops to 10.4%, planning succeeds for 39.6%, and human adjudication identifies 71.4% of plan-compared real-world repairs as deceptive fixes (with rates 57.1–71.4% across models, statistically indistinguishable). It also presents a four-dimensional taxonomy of deceptive fixes validated by Cohen κ=0.78 and Krippendorff α=0.76, plus IAM permission analysis on CKV2 AWS 11 cases.
Significance. If the five-layer oracle, particularly the human adjudication step, can be shown to correctly distinguish intent-aligned repairs from scanner-passing but still-vulnerable code, the findings would be significant for empirical software engineering and LLM code repair evaluation: they demonstrate that targeted static-analysis success substantially overstates actual repair quality. The replication package and Multi-Layer Oracle Evaluation framework are concrete contributions that could be adopted by others. The inter-model consistency and taxonomy are additional strengths.
major comments (2)
- [Abstract (human adjudication layer) and methods] Abstract and methods description of the five-layer oracle: the headline claim that 71.4% of plan-compared real-world repairs are deceptive fixes (leaving the underlying vulnerability in place) rests entirely on the human adjudication layer. The paper reports substantial inter-rater reliability (Cohen κ=0.78, Krippendorff α=0.76) on the four-dimensional taxonomy but supplies no explicit decision rubric, example-by-example adjudication log, or cross-check against independently verified vulnerable configurations. This makes it impossible to assess whether the classification is reproducible or correct rather than merely consistent.
- [Abstract and experimental setup] Abstract: the reported percentages (83.3% targeted removal, 10.4% full-scanner, 39.6% planning success, 71.4% deceptive) are presented without any information on module selection criteria for the 68 real-world TerraDS modules, exact definitions and exclusion rules for each oracle layer, or the inter-rater adjudication protocol. These omissions are load-bearing because the central empirical claim is that targeted removal overstates success; without the selection and operationalization details, it is not possible to evaluate whether the observed rates are supported or generalizable.
Simulated Author's Rebuttal
We thank the referee for the detailed and constructive feedback. The two major comments correctly identify areas where the manuscript's presentation of the five-layer oracle and experimental details requires expansion for full reproducibility. We address each point below and will revise the manuscript accordingly to include the requested operational details, rubric, and examples.
read point-by-point responses
-
Referee: [Abstract (human adjudication layer) and methods] Abstract and methods description of the five-layer oracle: the headline claim that 71.4% of plan-compared real-world repairs are deceptive fixes (leaving the underlying vulnerability in place) rests entirely on the human adjudication layer. The paper reports substantial inter-rater reliability (Cohen κ=0.78, Krippendorff α=0.76) on the four-dimensional taxonomy but supplies no explicit decision rubric, example-by-example adjudication log, or cross-check against independently verified vulnerable configurations. This makes it impossible to assess whether the classification is reproducible or correct rather than merely consistent.
Authors: We agree that an explicit decision rubric and sample adjudications are needed to allow readers to evaluate the human layer. The four-dimensional taxonomy (vulnerability persistence, behavioral equivalence, intent alignment, and fix minimality) is defined in the methods, and the reported κ/α values reflect the two-rater process with third-rater tie-breaking. The 28 injected-defect modules provide a controlled cross-check where ground-truth vulnerabilities are known; human adjudication matched the known defects in those cases. In revision we will add: (1) a step-by-step decision rubric as a new table, (2) three anonymized example adjudications with reasoning, and (3) explicit reporting of alignment on the injected-defect subset. The full adjudication log will be included in the replication package. revision: yes
-
Referee: [Abstract and experimental setup] Abstract: the reported percentages (83.3% targeted removal, 10.4% full-scanner, 39.6% planning success, 71.4% deceptive) are presented without any information on module selection criteria for the 68 real-world TerraDS modules, exact definitions and exclusion rules for each oracle layer, or the inter-rater adjudication protocol. These omissions are load-bearing because the central empirical claim is that targeted removal overstates success; without the selection and operationalization details, it is not possible to evaluate whether the observed rates are supported or generalizable.
Authors: The full manuscript (Section 3) specifies TerraDS module selection (public GitHub repos with active maintenance, at least one Checkov-flagged misconfiguration, and coverage across AWS resource types) and the five-layer definitions with exclusion rules (e.g., Layer 1 requires the targeted Checkov rule to be addressed; Layer 2 requires zero findings on full scan). The inter-rater protocol is described as independent rating followed by consensus discussion. These details were omitted from the abstract for brevity. We will expand the abstract with one-sentence operational definitions for each layer and add a concise 'Operational Definitions and Exclusion Rules' subsection in Methods that lists the exact criteria and protocol steps. revision: yes
Circularity Check
No circularity: empirical measurement study with independent layers
full rationale
The paper is an empirical evaluation that applies a five-layer oracle (static scanner, planning, plan comparison, human adjudication, IAM analysis) to a fixed set of 288 LLM-generated repairs and reports observed success/deceptive-fix rates. No derivation, equation, or first-principles claim reduces to its own inputs by construction. Inter-rater statistics (κ=0.78, α=0.76) quantify consistency among human raters on the taxonomy but are not used to derive the 71.4% figure; they are reported separately. No self-citations, fitted parameters renamed as predictions, or ansatz smuggling appear in the load-bearing steps. The central results are direct counts from the applied oracle on the given modules, making the study self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
axioms (1)
- standard math Fisher exact test is appropriate for comparing deceptive-fix rates across the three models.
Reference graph
Works this paper leans on
-
[1]
C. Low, C. Cheh, and B. Chen, ”Repairing Infrastructure-as-Code Using Large Language Models,” in Proc. IEEE SecDev, 2024, pp. 1-8
2024
-
[2]
TerraDS Dataset, Zenodo, 2024, doi: 10.5281/zenodo.14217386
-
[3]
Kon et al., ”IaC-Eval: A Code Generation Benchmark for Cloud IaC Programs,” NeurIPS Workshop, 2024
W. Kon et al., ”IaC-Eval: A Code Generation Benchmark for Cloud IaC Programs,” NeurIPS Workshop, 2024
2024
-
[4]
Bridgecrew, ”TerraGoat: Vulnerable Terraform Infrastructure,” GitHub, 2021
2021
-
[5]
H. Khalil et al., ”TerraFormer: An Agentic Framework for Automated Terraform Generation,” arXiv:2601.08734, 2026
-
[6]
A. Davidson et al., ”Multi-IaC-Eval: Evaluating LLMs on Multi-Cloud IaC Synthesis,” arXiv:2509.05303, 2025
-
[7]
B. Sallou et al., ”Detect-Repair-Verify: An LLM-Based Framework for IaC Security,” arXiv:2603.00897, 2026
-
[8]
Aldegheri et al., ”GenSIaC: Generative Security IaC with LLMs,” arXiv:2511.12385, 2025
M. Aldegheri et al., ”GenSIaC: Generative Security IaC with LLMs,” arXiv:2511.12385, 2025
-
[9]
Self-Healing IaC Study, IEEE Access, 2024, doi: 10.1109/ACCESS.2024.10653392
-
[10]
Diaz-de-Arcaya et al., ”Towards the Self-Healing of IaC Projects Using Constrained LLM Technologies,” in Proc
J. Diaz-de-Arcaya et al., ”Towards the Self-Healing of IaC Projects Using Constrained LLM Technologies,” in Proc. ACM APR, 2024
2024
-
[11]
HashiCorp, ”Command: terraform validate,” HashiCorp Developer Documentation, 2024
2024
-
[12]
HashiCorp, ”Command: terraform plan,” HashiCorp Developer Documentation, 2024
2024
-
[13]
HashiCorp, ”Command: terraform init,” HashiCorp Developer Documentation, 2024. 32
2024
-
[14]
HashiCorp, ”Command: terraform show,” HashiCorp Developer Documentation, 2024
2024
-
[15]
P. Chen et al., ”CloudEval-YAML: A Benchmark for Cloud Configuration Generation,” arXiv:2401.06786, 2024
-
[16]
C. S. Xia, Y. Wei, and L. Zhang, ”Automated Program Repair in the Era of Large Pre-trained LLMs,” in Proc. IEEE/ACM ICSE, 2023, pp. 1482-1494
2023
-
[17]
Minna et al., ”Automated Analysis of Security Policy Violations in Helm Charts,” IEEE TDSC, vol
F. Minna et al., ”Automated Analysis of Security Policy Violations in Helm Charts,” IEEE TDSC, vol. 23, no. 2, 2026
2026
-
[18]
Reyes, B
E. Reyes, B. Ampel, and S. Chen, ”Large Language Models for IaC Vulnerability Remedia- tion,” Pre-ICIS Workshop, 2025
2025
-
[19]
C. Vo, M. Dao, and T. Fukuda, ”Harnessing LLMs for Code Smell Detection in Terraform IaC,” in Proc. IEEE COMPSAC, 2025
2025
-
[20]
Apuri et al., ”Self-Healing Infrastructure: Autonomous LLM Agents for Real-Time Reme- diation,” IJITEE, vol
S. Apuri et al., ”Self-Healing Infrastructure: Autonomous LLM Agents for Real-Time Reme- diation,” IJITEE, vol. 15, no. 4, 2026
2026
-
[21]
Nazzal et al., ”PromSec: Prompt Optimization for Secure LLM Code Generation,” in Proc
M. Nazzal et al., ”PromSec: Prompt Optimization for Secure LLM Code Generation,” in Proc. ACM CCS, 2024
2024
-
[22]
Drosos et al., ”When Your Infrastructure Is a Buggy Program,” in Proc
I. Drosos et al., ”When Your Infrastructure Is a Buggy Program,” in Proc. ACM OOPSLA, 2024
2024
-
[23]
Bridgecrew, ”Checkov: Static Code Analysis Tool for IaC,” GitHub, 2021
2021
-
[24]
E. B. Wilson, ”Probable Inference, the Law of Succession, and Statistical Inference,” JASA, vol. 22, pp. 209-212, 1927
1927
-
[25]
M. A. Rahman and L. Williams, ”Security Smells in Ansible and Chef Scripts,” ACM TOSEM, vol. 30, no. 1, 2021
2021
-
[26]
NIST, ”Secure Software Development Framework (SSDF) Version 1.1,” SP 800-218, 2022
2022
-
[27]
Evaluating Large Language Models Trained on Code
M. Chen et al., ”Evaluating Large Language Models Trained on Code,” arXiv:2107.03374, OpenAI, 2021
work page internal anchor Pith review Pith/arXiv arXiv 2021
-
[28]
Pearce et al., ”Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions,” in Proc
H. Pearce et al., ”Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions,” in Proc. IEEE S&P, 2022
2022
-
[29]
M. A. Rahman et al., ”A Literature Review on Mining Infrastructure as Code,” JSS, vol. 168, 2020
2020
-
[30]
Guerriero et al., ”Adoption, Support, and Challenges of IaC: Insights from Industry,” in Proc
M. Guerriero et al., ”Adoption, Support, and Challenges of IaC: Insights from Industry,” in Proc. IEEE ICSME, 2019
2019
-
[31]
J. R. Landis and G. G. Koch, ”The Measurement of Observer Agreement for Categorical Data,” Biometrics, vol. 33, no. 1, pp. 159-174, 1977
1977
-
[32]
Krippendorff, Content Analysis: An Introduction to Its Methodology, 4th ed
K. Krippendorff, Content Analysis: An Introduction to Its Methodology, 4th ed. Sage Publi- cations, 2018. 33
2018
-
[33]
Cohen, ”A Coefficient of Agreement for Nominal Scales,” Educational and Psychological Measurement, vol
J. Cohen, ”A Coefficient of Agreement for Nominal Scales,” Educational and Psychological Measurement, vol. 20, no. 1, pp. 37-46, 1960
1960
-
[34]
Monperrus, ”Automatic Software Repair: A Bibliography,” ACM Computing Surveys, vol
M. Monperrus, ”Automatic Software Repair: A Bibliography,” ACM Computing Surveys, vol. 51, no. 1, pp. 1-24, 2018
2018
-
[35]
Feldt et al., ”Ways of Applying Artificial Intelligence in Software Engineering,” in Proc
R. Feldt et al., ”Ways of Applying Artificial Intelligence in Software Engineering,” in Proc. IEEE/ACM NIER, 2018
2018
-
[36]
Sobania et al., ”An Analysis of the Automatic Bug Fixing Performance of ChatGPT,” in Proc
D. Sobania et al., ”An Analysis of the Automatic Bug Fixing Performance of ChatGPT,” in Proc. IEEE/ACM APR Workshop, 2023, pp. 23-30
2023
-
[37]
Wohlin, P
C. Wohlin, P. Runeson, M. Host, M. C. Ohlsson, B. Regnell, and A. Wesslen, Experimentation in Software Engineering. Berlin: Springer, 2012
2012
-
[38]
Kitchenham et al., ”Preliminary Guidelines for Empirical Research in Software Engineer- ing,” IEEE Trans
B. Kitchenham et al., ”Preliminary Guidelines for Empirical Research in Software Engineer- ing,” IEEE Trans. Softw. Eng., vol. 28, no. 8, pp. 721-734, 2002
2002
-
[39]
Runeson and M
P. Runeson and M. Host, ”Guidelines for Conducting and Reporting Case Study Research in Software Engineering,” Empir. Softw. Eng., vol. 14, no. 2, pp. 131-164, 2009
2009
-
[40]
Cohen, Statistical Power Analysis for the Behavioral Sciences, 2nd ed
J. Cohen, Statistical Power Analysis for the Behavioral Sciences, 2nd ed. Hillsdale, NJ: Lawrence Erlbaum, 1988
1988
-
[41]
R. A. Fisher, ”On the Interpretation of Chi-Square from Contingency Tables, and the Calcu- lation of P,” J. R. Stat. Soc., vol. 85, no. 1, pp. 87-94, 1922
1922
-
[42]
Hou et al., ”Large Language Models for Software Engineering: A Systematic Literature Review,” ACM Trans
X. Hou et al., ”Large Language Models for Software Engineering: A Systematic Literature Review,” ACM Trans. Softw. Eng. Methodol., vol. 33, no. 8, pp. 1-79, 2024
2024
-
[43]
An Insight into Security Code Review with LLMs: Capabilities, Obstacles, and Influential Factors
F. Nahar et al., ”Security Code Review by LLMs: A Deep Dive into Responses,” arXiv:2401.16310, 2024
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[44]
S. L. Siddiq and J. C. Santos, ”SecurityEval Dataset: Mining Vulnerability Examples to Evaluate Machine Learning-Based Code Generation Techniques,” in Proc. ACM MSR4PS, 2022
2022
-
[45]
Wei et al., ”Is Your Code Generated by ChatGPT Really Correct? Rigorous Evaluation of Large Language Models for Code Generation,” in Proc
Y. Wei et al., ”Is Your Code Generated by ChatGPT Really Correct? Rigorous Evaluation of Large Language Models for Code Generation,” in Proc. NeurIPS, 2023
2023
-
[46]
Fan et al., ”Large Language Models for Software Engineering: Survey and Open Problems,” in Proc
A. Fan et al., ”Large Language Models for Software Engineering: Survey and Open Problems,” in Proc. ACM FSE, 2023. 34
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.