Persistent Human Feedback, LLMs, and Static Analyzers for Secure Code Generation and Vulnerability Detection

📅 2026-02-05
📈 Citations: 1
Influential: 0
📄 PDF

career value

191K/year
🤖 AI Summary
This study addresses the significant inaccuracies of existing static analysis tools in evaluating the security of code generated by large language models (LLMs), which often fail to reliably identify genuine vulnerabilities. The work presents the first systematic investigation of this issue and introduces a human-verified benchmark dataset of secure and vulnerable code samples to assess the performance of widely used tools such as CodeQL and Semgrep, revealing sample-level accuracy rates of only 61% and 65%, respectively. To mitigate these limitations, the authors propose a dynamic retrieval-augmented generation (RAG) framework that integrates continuous human feedback, enabling persistent knowledge reuse and iterative improvement of security capabilities. Experimental results demonstrate that this approach substantially enhances the accuracy and reliability of LLMs in both secure code generation and vulnerability detection.

Technology Category

Application Category

📝 Abstract
Existing literature heavily relies on static analysis tools to evaluate LLMs for secure code generation and vulnerability detection. We reviewed 1,080 LLM-generated code samples, built a human-validated ground-truth, and compared the outputs of two widely used static security tools, CodeQL and Semgrep, against this corpus. While 61% of the samples were genuinely secure, Semgrep and CodeQL classified 60% and 80% as secure, respectively. Despite the apparent agreement in aggregate statistics, per-sample analysis reveals substantial discrepancies: only 65% of Semgrep's and 61% of CodeQL's reports correctly matched the ground truth. These results question the reliability of static analysis tools as sole evaluators of code security and underscore the need for expert feedback. Building on this insight, we propose a conceptual framework that persistently stores human feedback in a dynamic retrieval-augmented generation pipeline, enabling LLMs to reuse past feedback for secure code generation and vulnerability detection.
Problem

Research questions and friction points this paper is trying to address.

Human Feedback
LLMs
Static Analyzers
Secure Code Generation
Vulnerability Detection
Innovation

Methods, ideas, or system contributions that make the work stand out.

Persistent Human Feedback
Retrieval-Augmented Generation
Secure Code Generation
Vulnerability Detection
Static Analysis Evaluation
🔎 Similar Papers
No similar papers found.