English

SoK: Understanding (New) Security Issues Across AI4Code Use Cases

Cryptography and Security 2025-12-23 v1 Artificial Intelligence

Abstract

AI-for-Code (AI4Code) systems are reshaping software engineering, with tools like GitHub Copilot accelerating code generation, translation, and vulnerability detection. Alongside these advances, however, security risks remain pervasive: insecure outputs, biased benchmarks, and susceptibility to adversarial manipulation undermine their reliability. This SoK surveys the landscape of AI4Code security across three core applications, identifying recurring gaps: benchmark dominance by Python and toy problems, lack of standardized security datasets, data leakage in evaluation, and fragile adversarial robustness. A comparative study of six state-of-the-art models illustrates these challenges: insecure patterns persist in code generation, vulnerability detection is brittle to semantic-preserving attacks, fine-tuning often misaligns security objectives, and code translation yields uneven security benefits. From this analysis, we distill three forward paths: embedding secure-by-default practices in code generation, building robust and comprehensive detection benchmarks, and leveraging translation as a route to security-enhanced languages. We call for a shift toward security-first AI4Code, where vulnerability mitigation and robustness are embedded throughout the development life cycle.

Keywords

Cite

@article{arxiv.2512.18456,
  title  = {SoK: Understanding (New) Security Issues Across AI4Code Use Cases},
  author = {Qilong Wu and Taoran Li and Tianyang Zhou and Varun Chandrasekaran},
  journal= {arXiv preprint arXiv:2512.18456},
  year   = {2025}
}

Comments

39 pages, 19 figures

R2 v1 2026-07-01T08:35:02.726Z