AI Code Security: Using AI to Find and Fix Vulnerabilities

Security vulnerabilities are expensive. The average data breach costs $4.45 million, and most of them start with code that a developer wrote in a hurry. I’ve been using AI tools to audit code for security issues over the past year, and I want to share what works, what doesn’t, and how to build AI security scanning into your workflow without slowing you down.

What AI Can Actually Detect

Let’s be realistic about capabilities. AI is genuinely good at catching pattern-based vulnerabilities: the kind of issues that follow recognizable code patterns. Here are the categories where I’ve seen reliable results.

SQL Injection

AI is excellent at spotting string concatenation in SQL queries. Feed it a function like this and it will flag it immediately:

// Vulnerable: string concatenation
app.get('/users', (req, res) => {
  const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
  db.query(query);
});

// Fixed: parameterized query
app.get('/users', (req, res) => {
  const query = 'SELECT * FROM users WHERE name = $1';
  db.query(query, [req.query.name]);
});

Cross-Site Scripting (XSS)

AI reliably detects innerHTML assignments, dangerouslySetInnerHTML without sanitization, and unescaped output in template engines. It also catches the subtler variants like DOM-based XSS through document.location or window.name.

Authentication and Authorization Issues

This is where AI provides some of its highest value. It can trace request flows and notice when an endpoint is missing authentication middleware or when authorization checks are incomplete:

// AI flags this: no auth middleware on sensitive route
router.delete('/users/:id', async (req, res) => {
  await User.findByIdAndDelete(req.params.id);
  res.json({ message: 'User deleted' });
});

// Fixed: auth + authorization check
router.delete('/users/:id', authenticate, async (req, res) => {
  if (req.user.role !== 'admin' && req.user.id !== req.params.id) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  await User.findByIdAndDelete(req.params.id);
  res.json({ message: 'User deleted' });
});

CSRF and Session Management

AI catches missing CSRF token validation on state-changing endpoints, insecure session cookie configurations, and missing SameSite attributes. It also spots when sensitive operations use GET instead of POST.

Security Audit Prompts That Work

The quality of your security audit depends entirely on how you prompt. Vague requests like “check this for security issues” produce generic advice. Here are prompts I use that get specific, actionable results:

• “Trace every path user input can take through this function and identify where it’s used without sanitization.” This catches injection vulnerabilities that span multiple function calls.
• “List every endpoint that modifies data and verify it has both authentication and authorization checks.” This systematically covers access control.
• “Check all cryptographic operations for weak algorithms, hardcoded keys, or improper IV/nonce usage.” Catches the subtle crypto mistakes.
• “Review error handling and verify no stack traces, database details, or internal paths are exposed to the client.” Information disclosure is easy to overlook.

Walking Through an OWASP Top 10 Scan

I run my codebases through a structured OWASP Top 10 scan using AI. For each category (Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Data Integrity Failures, Logging Failures, Server-Side Request Forgery), I provide the relevant source files and ask AI to evaluate against that specific category.

This takes about 45 minutes for a medium-sized application, and it consistently finds 3-5 issues that my team missed during code review. The most common finds are missing rate limiting on authentication endpoints, overly permissive CORS configurations, and sensitive data in error responses.

The Limitations You Need to Know

AI security scanning has real blind spots:

• Business logic flaws. AI can’t know that your pricing logic allows negative discounts unless you explain the business rules. Logic vulnerabilities require domain knowledge that AI doesn’t have.
• Race conditions. Timing-based vulnerabilities in concurrent code are extremely difficult for AI to spot from static analysis alone.
• Supply chain attacks. AI can flag known vulnerable dependencies if you ask, but it can’t detect compromised packages the way dedicated tools like Socket or Snyk can.
• Infrastructure misconfiguration. Cloud IAM policies, network rules, and server hardening are better handled by specialized tools like Checkov or ScoutSuite.
• False confidence. The biggest risk is assuming AI found everything. It didn’t. Use AI scanning as one layer in a defense-in-depth strategy, not as your only security measure.

Building It Into Your Workflow

My recommendation: run an AI security scan as part of every pull request review. Not as a gate that blocks merging, but as an additional reviewer that flags potential issues. Keep a running document of the types of vulnerabilities AI catches in your codebase so you can address the systemic patterns, not just individual instances.

AI won’t replace a penetration test or a dedicated security team. But for development teams without a security specialist, it raises the baseline significantly. And that baseline is where most breaches happen.