{"id":755,"date":"2026-01-22T09:04:38","date_gmt":"2026-01-22T09:04:38","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/"},"modified":"2026-01-22T09:04:38","modified_gmt":"2026-01-22T09:04:38","slug":"is-ai-generated-code-secure-thu-jan-22nd","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/","title":{"rendered":"Is AI-Generated Code Secure?, (Thu, Jan 22nd)"},"content":{"rendered":"<div>\n<p>The title of this diary is perhaps a bit catchy but the question is important. I don\u2019t consider myself as a good developer. That\u2019s not my day job and I\u2019m writing code to improve my daily tasks. I like to say \u201cI\u2019m writing sh*ty code! It works for me, no warranty that it will for for you\u201d. Today, most of my code (the skeleton of the program) is generated by AI, probably like most of you.<\/p>\n<p>My daily morning routing is to follow RSS feeds, news and today I spotted an interesting tool called \u201cBandit\u201d[<a href=\"https:\/\/github.com\/PyCQA\/bandit\">1<\/a>]. It\u2019s a tool designed to find common security issues in Python code. Because I\u2019m mainly writing Python code, it made me curious to test it.<\/p>\n<p>I use\u00a0regularly a Python script that was 99% generated by AI. I just made some adjustments but all the core features have\u00a0been generated. This script was good candidate to be analyzed by Bandit because:<\/p>\n<ul>\n<li>It has a decent size (1500 lines)<\/li>\n<li>It uses many dependences (Python libraries)<\/li>\n<li>It is multi-threaded for performance<\/li>\n<li>It collects data from online resources (network interactions)<\/li>\n<\/ul>\n<p>Bandit is super easy to use, first download the Docker image (good to know, images are signed!):<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\ndocker pull ghcr.io\/pycqa\/bandit\/bandit<\/pre>\n<p>Now, scan your code:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\ndocker run -it --rm -v $(pwd):\/data ghcr.io\/pycqa\/bandit\/bandit --severity-level all -v \/data\/myscript.py<\/pre>\n<p>Here are the scan results for my script:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nTotal issues (by severity):\n    Undefined: 0\n    Low: 13\n    Medium: 1\n    High: 0\nTotal issues (by confidence):\n    Undefined: 0\n    Low: 0\n    Medium: 0\n    High: 14<\/pre>\n<p>The following table shows what has been spotted in the code (I grouped them)<\/p>\n<table border=\"1\" cellpadding=\"1\" cellspacing=\"1\" style=\"width:500px;\">\n<thead>\n<tr>\n<th scope=\"col\">Issue<\/th>\n<th scope=\"col\">Severity<\/th>\n<th scope=\"col\">Confidence<\/th>\n<th scope=\"col\">Reference<\/th>\n<th scope=\"col\">Occurences<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Consider possible security implications associated with the subprocess module<\/td>\n<td>Low<\/td>\n<td>High<\/td>\n<td>https:\/\/cwe.mitre.org\/data\/definitions\/78.html<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called<\/td>\n<td>Medium<\/td>\n<td>High<\/td>\n<td>https:\/\/cwe.mitre.org\/data\/definitions\/20.html<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>subprocess call &#8211; check for execution of untrusted input<\/td>\n<td>Low<\/td>\n<td>High<\/td>\n<td>https:\/\/cwe.mitre.org\/data\/definitions\/78.html<\/td>\n<td>3<\/td>\n<\/tr>\n<tr>\n<td>Standard pseudo-random generators are not suitable for security\/cryptographic purposes<\/td>\n<td>Low<\/td>\n<td>High<\/td>\n<td>https:\/\/cwe.mitre.org\/data\/definitions\/330.html<\/td>\n<td>1<\/td>\n<\/tr>\n<tr>\n<td>Try, Except, Pass detected<\/td>\n<td>Low<\/td>\n<td>High<\/td>\n<td>https:\/\/cwe.mitre.org\/data\/definitions\/703.html<\/td>\n<td>7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Like any vulnerability scan, results must be interpreted and put back in the environment where the code is executed. In my case, the script is running internally with trusted set of (XML) data so I consider the results as &#8220;good&#8221;. Now, if you application is facing the Internet and publiclly available, that&#8217;s another story!<\/p>\n<p>If you are curious about the tests performed by Bandit, the list of plugins is availabe in the documentation[<a href=\"https:\/\/bandit.readthedocs.io\/en\/latest\/plugins\/index.html\">2<\/a>].<\/p>\n<p>Conclusion: the AI-generated script looks not too bad. Tip: when writing your prompt to generate the initial code, don&#8217;t forget to mention that &#8220;security is very important&#8221; like:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nGenerate production-quality Python code with a security-first approach.\nRequirements:\n- Treat all external input as untrusted\n- Validate input types, length, and format\n- Sanitize strings (e.g., for file paths, URLs, commands, JSON, CSV)\n- Use explicit allow-lists where possible\n- Handle errors with clear exceptions (no silent failures)\n- Avoid dangerous functions (eval, exec, os.system, shell=True)\n- Prevent command injection, path traversal, and deserialization issues\n- Use safe libraries and best practices\n- Include input validation helpers if needed<\/pre>\n<p>[1] <a href=\"https:\/\/github.com\/PyCQA\/bandit\">https:\/\/github.com\/PyCQA\/bandit<\/a><br \/>\n[2]\u00a0<a href=\"https:\/\/bandit.readthedocs.io\/en\/latest\/plugins\/index.html\">https:\/\/bandit.readthedocs.io\/en\/latest\/plugins\/index.html<\/a><\/p>\n<p>Xavier Mertens (@xme)<br \/>\nXameco<br \/>\nSenior ISC Handler &#8211; Freelance Cyber Security Consultant<br \/>\n<a href=\"https:\/\/keybase.io\/xme\/key.asc\">PGP Key<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The title of this diary is perhaps a bit catchy but the question is important. I don\u2019t consider myself as a good developer. That\u2019s not my day job and I\u2019m writing code to improve my daily tasks. I like to say \u201cI\u2019m writing sh*ty code! It works for me, no warranty that it will for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-755","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"The title of this diary is perhaps a bit catchy but the question is important. I don\u2019t consider myself as a good developer. That\u2019s not my day job and I\u2019m writing code to improve my daily tasks. I like to say \u201cI\u2019m writing sh*ty code! It works for me, no warranty that it will for [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-22T09:04:38+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Is AI-Generated Code Secure?, (Thu, Jan 22nd)\",\"datePublished\":\"2026-01-22T09:04:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\"},\"wordCount\":501,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\",\"name\":\"Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-01-22T09:04:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Is AI-Generated Code Secure?, (Thu, Jan 22nd)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/","og_locale":"en_US","og_type":"article","og_title":"Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited","og_description":"The title of this diary is perhaps a bit catchy but the question is important. I don\u2019t consider myself as a good developer. That\u2019s not my day job and I\u2019m writing code to improve my daily tasks. I like to say \u201cI\u2019m writing sh*ty code! It works for me, no warranty that it will for [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-01-22T09:04:38+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Is AI-Generated Code Secure?, (Thu, Jan 22nd)","datePublished":"2026-01-22T09:04:38+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/"},"wordCount":501,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/","name":"Is AI-Generated Code Secure?, (Thu, Jan 22nd) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-01-22T09:04:38+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/01\/22\/is-ai-generated-code-secure-thu-jan-22nd\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Is AI-Generated Code Secure?, (Thu, Jan 22nd)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=755"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/755\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}