Security Concerns in Generative AI Coding Assistants: Insights from Online Discussions on GitHub Copilot

TL;DR

This paper analyzes online discussions to identify security concerns raised by developers about GenAI coding assistants like GitHub Copilot, highlighting issues such as data leakage, licensing, adversarial attacks, and insecure code suggestions.

Contribution

It systematically categorizes security concerns voiced by developers in online forums, providing insights into perceived risks and areas for improvement in GenAI coding tools.

Findings

Identified four major security concern categories: data leakage, licensing, adversarial attacks, insecure code.

Developers express critical concerns about GenAI's limitations and security trade-offs.

The study offers insights to guide enhancements in GenAI security features.

Abstract

Generative Artificial Intelligence (GenAI) has become a central component of many development tools (e.g., GitHub Copilot) that support software practitioners across multiple programming tasks, including code completion, documentation, and bug detection. However, current research has identified significant limitations and open issues in GenAI, including reliability, non-determinism, bias, and copyright infringement. While prior work has primarily focused on assessing the technical performance of these technologies for code generation, less attention has been paid to emerging concerns of software developers, particularly in the security realm. OBJECTIVE: This work explores security concerns regarding the use of GenAI-based coding assistants by analyzing challenges voiced by developers and software enthusiasts in public online forums. METHOD: We retrieved posts, comments, and discussion threads addressing security issues in GitHub Copilot from three popular platforms, namely Stack Overflow, Reddit, and Hacker News. These discussions were clustered using BERTopic and then synthesized using thematic analysis to identify distinct categories of security concerns. RESULTS: Four major concern areas were identified, including potential data leakage, code licensing, adversarial attacks (e.g., prompt injection), and insecure code suggestions, underscoring critical reflections on the limitations and trade-offs of GenAI in software engineering. IMPLICATIONS: Our findings contribute to a broader understanding of how developers perceive and engage with GenAI-based coding assistants, while highlighting key areas for improving their built-in security features.