Monday 30 March 2026Afternoon Edition

ZOTPAPER

News without the noise

Programming & Dev Tools

Developer Finds 14 Security Flaws in a Month of AI-Generated Code, Builds a Scanner to Catch Them

Existing tools like Snyk and SonarQube caught fewer than a third of the vulnerabilities in AI-written code

Zotpaper2 min read
A developer who audited their own AI-generated code found 14 security vulnerabilities that slipped past review in a single month — including hardcoded JWT secrets, timing-unsafe password comparisons, and missing rate limiting — prompting them to build a specialised scanner called CodeHeal.

The developer described nearly merging a pull request generated by Claude that contained four security vulnerabilities in just 40 lines of authentication code. The issues — a hardcoded JWT secret, a timing-unsafe password comparison using == instead of a constant-time function, no rate limiting on login, and session tokens stored in localStorage — are all well-known attack vectors that are easy to miss in code that otherwise "looks clean" and passes tests.

After auditing a month's worth of AI-assisted coding output (roughly 3,000 lines), they tested existing security tools against the 14 vulnerabilities found. Snyk caught 2, SonarQube caught 4, and ESLint security plugins caught 3. None came close to catching all of them.

The gap exists because traditional security tools were designed for different threat models — dependency vulnerabilities, code style issues, and known CVEs — rather than the application-level patterns that AI assistants tend to introduce.

Analysis

Why This Matters

The productivity gains from AI coding assistants are real, but so is the security debt they create. When AI generates 500 lines in 30 seconds, thorough security review becomes practically impossible at the speed teams are shipping.

Background

AI coding assistants like Copilot, ChatGPT, and Claude are now used by millions of developers daily. The code they produce typically works and passes tests, which creates a false sense of security. The vulnerabilities tend to be subtle — not broken code, but insecure patterns.

Key Perspectives

This is not an argument against AI coding tools. It is an argument for adapting security tooling to the new reality. The existing scanner ecosystem was built for human-written code and human-speed development cycles.

What to Watch

Expect a wave of AI-code-specific security tools in 2026. The market gap is clear and the demand is urgent. Major vendors like Snyk are likely already working on AI-aware scanning modes.

Sources