This study addresses the insufficient attention given to security concerns surrounding generative AI programming assistants. By analyzing public discussions about GitHub Copilot on Stack Overflow, Reddit, and Hacker News, and integrating BERTopic-based text clustering with qualitative thematic analysis, the work systematically identifies four primary security issues raised by real-world developer communities: data leakage, code licensing compliance, adversarial attacks, and unsafe code suggestions. This research provides the first empirical characterization of these concerns grounded in authentic user discourse, offering actionable insights and evidence-based guidance for enhancing the built-in security mechanisms of generative AI coding tools.

Generative Artificial Intelligence (GenAI) has become a central component of many development tools (e.g., GitHub Copilot) that support software practitioners across multiple programming tasks, including code completion, documentation, and bug detection. However, current research has identified significant limitations and open issues in GenAI, including reliability, non-determinism, bias, and copyright infringement. While prior work has primarily focused on assessing the technical performance of these technologies for code generation, less attention has been paid to emerging concerns of software developers, particularly in the security realm. OBJECTIVE: This work explores security concerns regarding the use of GenAI-based coding assistants by analyzing challenges voiced by developers and software enthusiasts in public online forums. METHOD: We retrieved posts, comments, and discussion threads addressing security issues in GitHub Copilot from three popular platforms, namely Stack Overflow, Reddit, and Hacker News. These discussions were clustered using BERTopic and then synthesized using thematic analysis to identify distinct categories of security concerns. RESULTS: Four major concern areas were identified, including potential data leakage, code licensing, adversarial attacks (e.g., prompt injection), and insecure code suggestions, underscoring critical reflections on the limitations and trade-offs of GenAI in software engineering. IMPLICATIONS: Our findings contribute to a broader understanding of how developers perceive and engage with GenAI-based coding assistants, while highlighting key areas for improving their built-in security features.