Detect Repair Verify for Securing LLM Generated Code: A Multi-Language Empirical Study

TL;DR

This paper presents a comprehensive empirical study of a Detect-Repair-Verify workflow for securing code generated by large language models, introducing a new benchmark dataset and analyzing effectiveness, reliability, and side effects across multiple projects.

Contribution

It introduces a new project-level benchmark dataset with security tests, and evaluates the effectiveness and reliability of different DRV approaches for securing LLM-generated code.

Findings

Bounded iterative DRV improves security and correctness.

Detection reports are often unreliable for guiding repairs.

Post-repair issues include regressions and new security vulnerabilities.

Abstract

Large language models are increasingly used to produce runnable software. In practice, security is often addressed through a Detect--Repair--Verify (DRV) loop that detects issues, applies fixes, and verifies the result. This work studies such a workflow for project-level artifacts and addresses four gaps: L1, the lack of project-level benchmarks with executable function and security tests; L2, limited evidence on pipeline-level effectiveness beyond studying detection or repair alone; L3, unclear reliability of detection reports as repair guidance; and L4, uncertain repair trustworthiness and side effects under verification. A new benchmark dataset\footnote{https://github.com/Hahappyppy2024/EmpricalVDR} is introduced, consisting of runnable web-application projects paired with functional tests and targeted security tests, and supporting three prompt granularities at the project, requirement, and function level. The evaluation compares generation-only, single-pass DRV, and bounded iterative DRV variants under comparable budget constraints. Outcomes are measured by secure and correct yield using test-grounded verification, and intermediate artifacts are analyzed to assess report actionability and post-repair failure modes such as regressions, semantic drift, and newly introduced security issues.