Insights into Security-Related AI-Generated Pull Requests
This addresses security and trust issues in AI-assisted software development for developers and researchers, providing insights into autonomous coding systems, though it is incremental as it builds on existing rejection taxonomies.
The paper analyzed over 33,000 AI-generated pull requests, identifying 675 security-related submissions and found that they introduce recurring weaknesses like regex inefficiencies and injection flaws, with many flawed contributions still merged and rejections often due to social or process factors.
Recent years have experienced growing contributions of AI coding agents that assist human developers in various software engineering tasks. However, this growing AI-assisted autonomy raises questions about security and trust. In this paper, we analyze more than 33,000 AI-generated pull requests (PRs) and identify 675 security-related submissions made by agentic AIs. Then we examine the security-related PRs with a focus on recurring security weaknesses, review outcomes and latency, commit message quality, and rejection reasons. The results show that security-related AI PRs introduce a small set of recurring weaknesses such as regex inefficiencies, injection flaws, and path traversal. Many flawed contributions are still merged, while rejections often arise from social or process factors such as inactivity or missing test coverage. The commit message quality of AI PRs has a limited effect on acceptance or latency, in contrast to human PRs reported in previous studies. We also extend existing rejection taxonomies by adding categories that are unique to AI-generated security contributions. These findings offer new insights into the strengths and shortcomings of autonomous coding systems in secure software development.