Persistent Human Feedback, LLMs, and Static Analyzers for Secure Code Generation and Vulnerability Detection

TL;DR

This paper evaluates static analysis tools for secure code generation by LLMs, revealing significant discrepancies and proposing a framework that incorporates persistent human feedback to improve security assessments.

Contribution

It introduces a comprehensive evaluation of static analyzers against human-validated ground truth and proposes a novel framework leveraging persistent human feedback for enhanced security in code generation.

Findings

Static analyzers agree on aggregate security metrics but differ significantly on individual samples.

Only 65% of Semgrep and 61% of CodeQL reports matched the ground truth.

Static analysis tools alone are unreliable for security evaluation, highlighting the need for expert feedback.

Abstract

Existing literature heavily relies on static analysis tools to evaluate LLMs for secure code generation and vulnerability detection. We reviewed 1,080 LLM-generated code samples, built a human-validated ground-truth, and compared the outputs of two widely used static security tools, CodeQL and Semgrep, against this corpus. While 61% of the samples were genuinely secure, Semgrep and CodeQL classified 60% and 80% as secure, respectively. Despite the apparent agreement in aggregate statistics, per-sample analysis reveals substantial discrepancies: only 65% of Semgrep's and 61% of CodeQL's reports correctly matched the ground truth. These results question the reliability of static analysis tools as sole evaluators of code security and underscore the need for expert feedback. Building on this insight, we propose a conceptual framework that persistently stores human feedback in a dynamic retrieval-augmented generation pipeline, enabling LLMs to reuse past feedback for secure code generation and vulnerability detection.