AI-generated code frequently contains security vulnerabilities that hinder its trustworthy deployment. This study systematically evaluates the effectiveness of strategies such as fine-tuning and prompt engineering in mitigating Common Weakness Enumeration (CWE) issues across multiple models and programming languages. It further presents the first comprehensive analysis of their unintended side effects, including the introduction of new vulnerabilities, shifts in weakness severity, and altered co-occurrence patterns. Combining static analysis with CWE categorization, the findings reveal that security improvements are highly dependent on the specific model and mitigation technique employed; some approaches alleviate certain flaws while inadvertently introducing new risks. Consequently, no universally effective “one-size-fits-all” solution currently exists. This work provides an empirical foundation and actionable insights for designing safer AI-assisted programming systems.

The security of AI-generated code remains a major obstacle to its widespread adoption. Although code generation models achieve strong performance on functional benchmarks, their outputs frequently contain bugs and security weaknesses that undermine their trustworthiness. Prior work has explored a range of approaches to mitigate security issues in AI-generated code, e.g., using static analysis-guided generation and prompt engineering. However, their effectiveness varies widely across models and settings. This paper presents a systematic investigation of strategies for hardening model-generated code against a list of Common Weakness Enumeration (CWE). We assess the extent to which these strategies improve security across models and programming languages, using fine-tuning and prompting approaches for model output refinement. Beyond the prevalence of security weaknesses, we analyse the severity of identified CWEs, their co-occurrence, and the unintended consequences of remediation (i.e., whether fixing certain weaknesses introduces new weaknesses elsewhere in the same code). Our results show that security improvements are highly strategy- and model-dependent. Although some approaches reduce specific classes of weaknesses, they often introduce new weaknesses as side effects of the fixes. Moreover, no strategy consistently eliminates weaknesses across all models and scenarios, highlighting the absence of a universally effective "bulletproof" solution for secure AI-generated code.