SCGAgent: Recreating the Benefits of Reasoning Models for Secure Code Generation with Agentic Workflows

TL;DR

SCGAgent is a proactive secure coding agent that enhances code security by integrating security guidelines and unit tests, maintaining functionality while significantly improving security in code generation.

Contribution

The paper introduces SCGAgent, a novel agentic workflow that improves security in code generated by LLMs without sacrificing functionality, outperforming or matching more complex reasoning models.

Findings

SCGAgent preserves 98% of base model functionality.

Achieves 25% improvement in code security.

Matches or exceeds performance of reasoning LLMs.

Abstract

Large language models (LLMs) have seen widespread success in code generation tasks for different scenarios, both everyday and professional. However current LLMs, despite producing functional code, do not prioritize security and may generate code with exploitable vulnerabilities. In this work, we propose techniques for generating code that is more likely to be secure and introduce SCGAgent, a proactive secure coding agent that implements our techniques. We use security coding guidelines that articulate safe programming practices, combined with LLM-generated unit tests to preserve functional correctness. In our evaluation, we find that SCGAgent is able to preserve nearly 98% of the functionality of the base Sonnet-3.7 LLM while achieving an approximately 25% improvement in security. Moreover, SCGAgent is able to match or best the performance of sophisticated reasoning LLMs using a non-reasoning model and an agentic workflow.