How Replit Secures AI-Generated Code [white paper]

AI-generated code is transforming software development, but securing this code presents new challenges that are explored in a study examining the effectiveness of AI-driven security scans on platforms like Replit. The research compares AI-only security scans with hybrid approaches that integrate static analysis and dependency scanning alongside large language model (LLM) reasoning. Findings indicate that AI-only scans are limited by nondeterminism and prompt sensitivity, resulting in inconsistent security assessments for functionally similar code due to minor syntactic variations. Additionally, dependency-level vulnerabilities often go undetected without traditional scanning infrastructure. The study concludes that while LLMs excel in reasoning about business logic and intent-level issues, they should be complemented by deterministic tools like static analysis and dependency scanning to ensure comprehensive security. The hybrid approach, combining deterministic and AI-driven methods, is recommended for establishing a reliable security baseline.