AI code generators like Copilot, Cursor, and Claude are transforming how teams ship software. But speed without scrutiny creates risk — and the numbers tell a stark story.
Over the past six months, our engineering team reviewed 500+ AI-generated pull requests across 14 client projects. The results were eye-opening: 73% contained at least one security vulnerability that would have failed a standard code review.
The Most Common Failures
Hardcoded secrets (41% of PRs). API keys, database passwords, and JWT secrets embedded directly in source code. AI models learn from public repositories where this pattern is disturbingly common.
Missing input validation (38%). AI generates the happy path beautifully but consistently skips boundary checks, type validation, and sanitization of user inputs.
SQL injection vulnerabilities (27%). String concatenation in database queries instead of parameterized statements. The AI produces code that works — and that's exploitable.
Insecure authentication patterns (19%). Weak token generation, missing rate limiting on login endpoints, and session management that doesn't follow OWASP guidelines.
The Human Review Checklist
We've developed a focused review checklist that catches these issues in under 15 minutes per PR:
- Are all secrets externalized to environment variables?
AI writes the first draft. Humans make it secure. That's not a limitation — it's the model that works.