SecCodePRM: A Process Reward Model for Code Security

TL;DR

SecCodePRM introduces a step-level, context-aware security scoring model for code, trained with static analyzer and expert labels, enabling real-time vulnerability detection and secure code generation during interactive development.

Contribution

It presents SecCodePRM, a novel process reward model that provides fine-grained, real-time security assessment for code, improving over existing static and coarse-grained methods.

Findings

Outperforms prior approaches in vulnerability detection and secure code generation.

Provides dense, real-time feedback suitable for long-horizon code generation.

Maintains code correctness while enhancing security.

Abstract

Large Language Models are rapidly becoming core components of modern software development workflows, yet ensuring code security remains challenging. Existing vulnerability detection pipelines either rely on static analyzers or use LLM/GNN-based detectors trained with coarse program-level supervision. Both families often require complete context, provide sparse end-of-completion feedback, and can degrade as code length grows, making them ill-suited for real-time, prefix-level assessment during interactive coding and streaming generation. We propose SecCodePRM, a security-oriented process reward model that assigns a context-aware, step-level security score along a code trajectory. To train the model, we derive step-level supervision labels from static analyzers and expert annotations, allowing the model to attend more precisely to fine-grained regions associated with inter-procedural vulnerabilities. SecCodePRM has three applications: full-code vulnerability detection (VD), partial-code VD, and secure code generation (CG). For VD, SecCodePRM uses risk-sensitive aggregation that emphasizes high-risk steps; for CG, SecCodePRM supports inference-time scaling by ranking candidate continuations and favoring higher cumulative reward. This design yields dense, real-time feedback that scales to long-horizon generation. Empirically, SecCodePRM outperforms prior approaches in all three settings, while preserving code functional correctness, suggesting improved security without a safety-utility tradeoff.