Safeguard
AI Security

Choosing a security tool for AI-generated code

GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.

Safeguard Research Team
Research
Updated 7 min read

GitHub's own research put Copilot's share of code in enabled files at up to 46% as early as 2023, and by 2024 multiple industry surveys had most professional developers using an AI coding assistant in some form. That volume shift matters more than the novelty of the tools themselves: a 2023 Stanford study led by Neil Perry found developers using AI assistants were more likely to introduce SQL injection and other classic flaws into their code while also being more confident the code was secure — the opposite of what you'd want. AI-generated code isn't a new vulnerability class; it's the same CWE-89, CWE-79, and CWE-798 patterns static analysis has cataloged for two decades, but produced at a pace no human review queue was sized for. A single AI-assisted PR can touch a dozen files and hundreds of lines in the time it used to take to write twenty. That changes what you should actually evaluate in a security tool. Put simply, not every code scan tool built for human-paced review is ready for machine-paced output. A scanner tuned for a human's occasional single-function mistake will drown in false positives — or miss cross-file issues — when the input is a machine generating plausible-looking code at scale. This post lays out the criteria that matter: coverage of AI-common failure modes, cross-file analysis, noise control through reachability, and review that happens where the code actually lands, in the pull request.

What vulnerability classes do AI coding assistants actually introduce?

AI coding assistants tend to reproduce whatever patterns dominate their training data, which means the same well-known CWE categories recur: SQL and command injection from string-concatenated queries (CWE-89, CWE-78), hardcoded secrets and API keys pasted into example-style code (CWE-798), missing input validation, and insecure defaults like disabled TLS verification or overly permissive CORS. The Stanford study mentioned above (Perry et al., "Do Users Write More Insecure Code with AI Assistants?," 2023) tested this directly across several programming tasks and found participants with AI assistance produced less secure code in most of them, particularly around SQL injection and string-based cryptography. Because assistants are trained on public code that includes plenty of insecure examples, a tool evaluating AI output needs the same rule coverage you'd want for human code — CWE-89, CWE-502 (unsafe deserialization), CWE-79 (XSS) — just applied against a much higher volume of generated diffs, often across many files in a single suggestion or commit.

Why does cross-file, not single-function, analysis matter more now?

A single-function scanner looks at one file in isolation and misses vulnerabilities that only exist because of how two files interact — an AI assistant generating a new API handler in one file that calls a sanitization function whose actual implementation, three directories away, doesn't sanitize what the handler assumes it does. This is exactly the criterion Snyk's own January 2024 guidance on evaluating AI-code security tools emphasizes: interfile analysis that understands full application context, not just the function currently on screen. That's a reasonable bar regardless of vendor. AI assistants routinely scaffold multiple files in one suggestion — a route, a model, a validator — and a tool that only re-analyzes the file under the cursor will never see that the validator it just generated is a no-op. Cross-file, whole-repository analysis is what catches that gap.

How much does false-positive rate actually matter here?

It matters more than usual, because AI-assisted development multiplies the number of diffs a security tool has to evaluate per day, and a high false-positive rate compounds linearly with that volume. A scanner that fires on 15% of findings incorrectly is a manageable annoyance at ten PRs a week; at fifty AI-assisted PRs a week it becomes a queue nobody trusts, and teams start ignoring the tool entirely — the well-documented "alert fatigue" failure mode. Snyk's evaluation criteria explicitly call out avoiding "AI hallucinations" in findings themselves, a fair concern since some LLM-based reviewers generate confident-sounding but fabricated vulnerability explanations. The practical test: does the tool tie every finding to a concrete file, line, and, ideally, a reachable data-flow path — or does it produce prose that sounds plausible but can't be traced to actual code behavior?

Can reachability analysis cut noise on AI-generated code specifically?

Yes, and arguably it matters more here than on human-written code, because AI assistants generate speculative code paths — defensive branches, unused helper functions, alternate implementations — more liberally than a human writing to a specific requirement. Safeguard's reachability engine builds a call graph from source, lockfile, and bytecode to classify each finding as reachable, conditionally reachable, unreachable, or unknown, and applies the same model to findings inside AI-generated diffs. Because reachability filtering typically removes 60-80% of flagged findings across a codebase by proving they sit on paths nothing ever executes, applying it to a wave of new AI-authored code prevents the volume problem from ever reaching a human reviewer's queue in the first place — instead of scaling your triage headcount to match your AI assistant's output.

Why does PR-integrated review matter more than IDE-only scanning?

IDE-based scanning catches issues while a developer is typing, but a large share of AI-generated code arrives as a complete, multi-file suggestion accepted in one action — sometimes from an agentic coding tool operating with minimal human review of each individual line. That's the moment a pull request, not an editor tooltip, becomes the enforcement point. Safeguard's PR Guard runs against a pull request's actual diff, returning severity-ranked findings (critical through info) categorized by type — security, bug, reliability, and others — each tied to a specific file and line, with an optional suggested fix and a confidence score attached. Results can post directly back onto the GitHub PR as inline comments, so a reviewer evaluating a large AI-generated change sees prioritized findings exactly where they're already reading the diff, rather than needing a separate tool open in another tab.

Does it matter which AI assistant produced the code?

It shouldn't, and that's a fair criterion to hold any tool to. Snyk's own framework for evaluating these tools calls out independence from any single AI coding assistant as a requirement, and it's the right bar: a team today might use GitHub Copilot, Cursor, Claude Code, or an internal agent, often several at once across different engineers, and none of that should change how a PR gets reviewed. A security tool that analyzes the diff itself — the actual lines changed, regardless of which assistant or human wrote them — inherently satisfies this, since it never needs to know or trust an "AI-generated" label in the first place. That's also a safer default than trying to detect AI-authorship and treat it specially, since authorship detection is unreliable and beside the point: insecure code is insecure code, whoever typed it.

How Safeguard Helps

Safeguard treats AI-generated and human-written code the same way at review time: through the pull request. PR Guard scans a PR's diff regardless of which coding assistant produced it, returning severity- and category-ranked comments tied to exact files and lines, with suggested fixes and confidence scores, postable inline to GitHub so reviewers see them without leaving the PR. Underneath, Safeguard's reachability engine — static, dynamic, and configuration-based — filters findings against your real call graph before they ever reach that review, cutting the noise that would otherwise scale linearly with how much code your team ships through AI assistants. The result is review built for the volume AI coding tools actually produce, not the occasional single-function change static analysis was originally designed around — which is the actual bar for calling something a code scan tool for AI-generated code rather than a relabeled human-era scanner.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.