Demo: SGCode: A Flexible Prompt-Optimizing System for Secure Generation of Code

TL;DR

SGCode is a versatile system that combines prompt optimization and security tools to generate and review secure code using large language models, balancing utility, security, and cost.

Contribution

It introduces SGCode, a unified platform integrating prompt optimization and security analysis for secure code generation with LLMs.

Findings

SGCode effectively generates vulnerability-free code.

The system provides insights into utility-security-cost trade-offs.

SGCode operates with marginal additional cost compared to standard prompting.

Abstract

This paper introduces SGCode, a flexible prompt-optimizing system to generate secure code with large language models (LLMs). SGCode integrates recent prompt-optimization approaches with LLMs in a unified system accessible through front-end and back-end APIs, enabling users to 1) generate secure code, which is free of vulnerabilities, 2) review and share security analysis, and 3) easily switch from one prompt optimization approach to another, while providing insights on model and system performance. We populated SGCode on an AWS server with PromSec, an approach that optimizes prompts by combining an LLM and security tools with a lightweight generative adversarial graph neural network to detect and fix security vulnerabilities in the generated code. Extensive experiments show that SGCode is practical as a public tool to gain insights into the trade-offs between model utility, secure code generation, and system cost. SGCode has only a marginal cost compared with prompting LLMs. SGCode is available at: https://sgcode.codes/.