The reviewed record of science sign in
Pith

arxiv: 2310.02059 · v4 · pith:XMAXB6CY · submitted 2023-10-03 · cs.SE · cs.CR

Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel pith:XMAXB6CYrecord.jsonopen to challenge →

classification cs.SE cs.CR
keywords codesecuritygenerationissuescopilotgeneratedgithubsnippets
0
0 comments X
read the original abstract

Modern code generation tools utilizing AI models like Large Language Models (LLMs) have gained increased popularity due to their ability to produce functional code. However, their usage presents security challenges, often resulting in insecure code merging into the code base. Thus, evaluating the quality of generated code, especially its security, is crucial. While prior research explored various aspects of code generation, the focus on security has been limited, mostly examining code produced in controlled environments rather than open source development scenarios. To address this gap, we conducted an empirical study, analyzing code snippets generated by GitHub Copilot and two other AI code generation tools (i.e., CodeWhisperer and Codeium) from GitHub projects. Our analysis identified 733 snippets, revealing a high likelihood of security weaknesses, with 29.5% of Python and 24.2% of JavaScript snippets affected. These issues span 43 Common Weakness Enumeration (CWE) categories, including significant ones like CWE-330: Use of Insufficiently Random Values, CWE-94: Improper Control of Generation of Code, and CWE-79: Cross-site Scripting. Notably, eight of those CWEs are among the 2023 CWE Top-25, highlighting their severity. We further examined using Copilot Chat to fix security issues in Copilot-generated code by providing Copilot Chat with warning messages from the static analysis tools, and up to 55.5% of the security issues can be fixed. We finally provide the suggestions for mitigating security issues in generated code.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 4 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Enhancing Reliability in LLM-Based Secure Code Generation

    cs.CR 2026-05 conditional novelty 6.0

    MA-CoT prompting reduces security findings in LLM-generated code by 57.6% on a 200-task dataset and 94.5% on LLMSecEval across C, Java, and Python, outperforming vanilla, zero-shot, and standard CoT strategies.

  2. SecureForge: Finding and Preventing Vulnerabilities in LLM-Generated Code via Prompt Optimization

    cs.CR 2026-05 unverdicted novelty 6.0

    SecureForge audits LLM code for vulnerabilities, builds a synthetic prompt corpus via Markovian sampling, and optimizes system prompts to cut security issues by up to 48% while preserving unit test performance, with z...

  3. A Quasi-Experimental Developer Study of Security Training in LLM-Assisted Web Application Development

    cs.CR 2026-04 conditional novelty 6.0

    A within-subject study of 12 developers found that security training reduced validated weaknesses by 31.5% and critical issues by 79.2% in LLM-assisted backend coding.

  4. Short-Term Gain, Long-Term Fragility: AI Labor Substitution and the Erosion of Sustainable Capability

    cs.CY 2026-04 conditional novelty 4.0

    AI labor substitution creates short-term efficiency by masking the erosion of human capability, apprenticeship pipelines, and institutional memory, producing long-term fragility.