{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:16:16Z","timestamp":1779099376898,"version":"3.51.4"},"reference-count":84,"publisher":"Association for Computing Machinery (ACM)","issue":"8","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62172311"],"award-info":[{"award-number":["62172311"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Major Science and Technology Project of Hubei","award":["2024BAA008"],"award-info":[{"award-number":["2024BAA008"]}]},{"name":"Supercomputing Center of Wuhan University"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,11,30]]},"abstract":"\n Modern code generation tools utilizing AI models like Large Language Models have gained increased popularity due to their ability to produce functional code. However, their usage presents security challenges, often resulting in insecure code merging into the code base. Thus, evaluating the quality of generated code, especially its security, is crucial. While prior research explored various aspects of code generation, the focus on security has been limited, mostly examining code produced in controlled environments rather than open source development scenarios. To address this gap, we conducted an empirical study, analyzing code snippets generated by GitHub Copilot and two other AI code generation tools (i.e., CodeWhisperer and Codeium) from GitHub projects. Our analysis identified 733 snippets, revealing a high likelihood of security weaknesses, with 29.5% of Python and 24.2% of JavaScript snippets affected. These issues span 43 Common Weakness Enumeration (CWE) categories, including significant ones like\n CWE-330: Use of Insufficiently Random Values<\/jats:italic>\n ,\n CWE-94: Improper Control of Generation of Code<\/jats:italic>\n , and\n CWE-79: Cross-site Scripting<\/jats:italic>\n . Notably, eight of those CWEs are among the 2023 CWE Top-25, highlighting their severity. We further examined using\n Copilot Chat<\/jats:italic>\n to fix security issues in Copilot-generated code by providing\n Copilot Chat<\/jats:italic>\n with warning messages from the static analysis tools, and up to 55.5% of the security issues can be fixed. We finally provide the suggestions for mitigating security issues in generated code.\n <\/jats:p>","DOI":"10.1145\/3716848","type":"journal-article","created":{"date-parts":[[2025,2,12]],"date-time":"2025-02-12T11:03:42Z","timestamp":1739358222000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-3510-8930","authenticated-orcid":false,"given":"Yujia","family":"Fu","sequence":"first","affiliation":[{"name":"School of Computer Science, Wuhan University, Wuhan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2056-5346","authenticated-orcid":false,"given":"Peng","family":"Liang","sequence":"additional","affiliation":[{"name":"School of Computer Science, Wuhan University, Wuhan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9454-1366","authenticated-orcid":false,"given":"Amjed","family":"Tahir","sequence":"additional","affiliation":[{"name":"Massey University, Palmerston North, New Zealand"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7258-993X","authenticated-orcid":false,"given":"Zengyang","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science, Central China Normal University, Wuhan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9081-1354","authenticated-orcid":false,"given":"Mojtaba","family":"Shahin","sequence":"additional","affiliation":[{"name":"RMIT University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-7017-5804","authenticated-orcid":false,"given":"Jiaxin","family":"Yu","sequence":"additional","affiliation":[{"name":"School of Computer Science, Wuhan University, Wuhan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7410-9146","authenticated-orcid":false,"given":"Jinfu","family":"Chen","sequence":"additional","affiliation":[{"name":"School of Computer Science, Wuhan University, Wuhan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,10,6]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-023-10380-1"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3586030"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3545945.3569759"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.5555\/3495724.3495883"},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1177\/0049124113500475"},{"key":"e_1_3_1_7_2","unstructured":"Mark Chen Jerry Tworek Heewoo Jun Qiming Yuan Henrique Ponde de Oliveira Pinto Jared Kaplan Harri Edwards Yuri Burda Nicholas Joseph Greg Brockman et al. 2021. Evaluating large language models trained on code. arXiv:2107.03374. Retrieved from https:\/\/arxiv.org\/abs\/2107.03374"},{"key":"e_1_3_1_8_2","first-page":"1","article-title":"A comparative analysis of node. js (server-side javascript)","volume":"5","author":"Chhetri Nimesh","year":"2016","unstructured":"Nimesh Chhetri. 2016. A comparative analysis of node. js (server-side javascript). Culminating Projects in Computer Science and Information Technology 5 (2016), 1\u201369.","journal-title":"Culminating Projects in Computer Science and Information Technology"},{"key":"e_1_3_1_9_2","unstructured":"CodeQL. 2024. CodeQL Query Help. Retrieved from https:\/\/codeql.github.com\/codeql-query-help\/"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1177\/001316446002000104"},{"key":"e_1_3_1_11_2","unstructured":"Copilot. 2024. Best-practices-for-using-github-copilot. Retrieved from https:\/\/docs.github.com\/zh\/copilot\/using-github-copilot\/best-practices-for-using-github-copilot"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2682323"},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2023.111734"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338112"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3004525"},{"key":"e_1_3_1_16_2","unstructured":"Alex Dow. 2021. GitHub\u2019s Copilot Security Issues. Retrieved from https:\/\/miraisecurity.com\/blog\/githubs-copilot-security-issues"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00036"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-84800-044-5_11"},{"key":"e_1_3_1_19_2","unstructured":"Ran Elgedawy John Sadik Senjuti Dutta Anuj Gautam Konstantinos Georgiou Farzin Gholamrezae Fujiao Ji Kyungchan Lim Qian Liu and Scott Ruoti. 2024. Ocassionally secure: A comparative analysis of code generation assistants. arXiv:2402.00689. Retrieved from https:\/\/arxiv.org\/2402.00689"},{"key":"e_1_3_1_20_2","first-page":"24","volume-title":"ICSE Workshop on Dynamic Analysis (WODA)","author":"Ernst Michael D.","year":"2003","unstructured":"Michael D. Ernst. 2003. Static and dynamic analysis: Synergy and duality. In ICSE Workshop on Dynamic Analysis (WODA). ACM, 24\u201327."},{"key":"e_1_3_1_21_2","unstructured":"ESLint Contributors. 2024. ESLint - Pluggable JavaScript linter. GitHub. Retrieved from https:\/\/eslint.org\/"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","unstructured":"Yujia Fu Peng Liang Amjed Tahir Zengyang Li Mojtaba Shahin Jiaxin Yu and Jinfu Chen. 2024. Dataset of the Paper \u201cSecurity Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study\u201d. Retrieved from 10.5281\/zenodo.10802054","DOI":"10.5281\/zenodo.10802054"},{"key":"e_1_3_1_23_2","unstructured":"GitHub. 2023. CodeQL (1.6 ed.). GitHub. Retrieved from https:\/\/securitylab.github.com\/tools\/codeql"},{"key":"e_1_3_1_24_2","unstructured":"GitHub. 2023. GitHub Copilot Chat Beta Now Available for Every Organization. Retrieved from https:\/\/github.blog\/news-insights\/product-news\/github-copilot-chat-beta-now-available-for-every-organization\/"},{"key":"e_1_3_1_25_2","unstructured":"GitHub. 2023. GitHub Copilot for Individuals. Retrieved from https:\/\/docs.github.com\/en\/copilot\/overview-of-github-copilot\/about-github-copilot-for-individuals"},{"key":"e_1_3_1_26_2","unstructured":"GitHub. 2023. GitHub CopilotX Preview. Retrieved from https:\/\/github.com\/features\/preview\/copilot-x"},{"key":"e_1_3_1_27_2","unstructured":"GitHub. 2023. Using the CodeQL CLI. GitHub. Retrieved from https:\/\/docs.github.com\/zh\/code-security\/codeql-cli\/using-the-codeql-cli\/analyzing-databases-with-the-codeql-cli"},{"key":"e_1_3_1_28_2","unstructured":"GitHub. 2024. GitHub Copilot Chat \u2013 Visual Studio Marketplace. Retrieved from https:\/\/marketplace.visualstudio.com\/items?itemName=GitHub.copilot-chat"},{"key":"e_1_3_1_29_2","unstructured":"GitHub. 2024. Octoverse 2024 Top Programming Languages. Retrieved from https:\/\/github.blog\/news-insights\/octoverse\/octoverse-2024\/#the-most-popular-programming-languages"},{"key":"e_1_3_1_30_2","unstructured":"Halfnine. 2024. JavaScript vs Python: Breaking Down Performance Ease of Use and More. Retrieved from https:\/\/www.halfnine.com\/blog\/post\/javascript-vs-python"},{"key":"e_1_3_1_31_2","unstructured":"William Harding and Matthew Kloster. 2024. Coding on Copilot: 2023 Data Suggests Downward Pressure on Code Quality. Retrieved from https:\/\/www.gitclear.com\/coding_on_copilot_data_shows_ais_downward_pressure_on_code_quality"},{"key":"e_1_3_1_32_2","unstructured":"Jingxuan He and Martin Vechev. 2023. Controlling large language models to generate secure and vulnerable code. arXiv:2302.05319. Retrieved from https:\/\/arxiv.org\/abs\/2302.05319"},{"key":"e_1_3_1_33_2","unstructured":"Jingxuan He Mark Vero Gabriela Krasnopolska and Martin Vechev. 2024. Instruction tuning for secure code generation. arXiv:2402.09497. Retrieved from https:\/\/arxiv.org\/abs\/2402.09497"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","unstructured":"Michael Huth and Flemming Nielson. 2019. Static analysis for proactive security 374\u2013392. Retrieved from 10.1007\/978-3-319-91908-9_19","DOI":"10.1007\/978-3-319-91908-9_19"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3140868"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510214"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2020.04.217"},{"key":"e_1_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/SMC53992.2023.10394237"},{"key":"e_1_3_1_39_2","unstructured":"Paul Krill. 2024. GitHub copilot makes insecure code even less secure Snyk says. Retrieved from https:\/\/www.infoworld.com\/article\/3713141\/github-copilot-makes-insecure-code-even-less-secure-snyk-says.amp.html"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2208.08603"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1126\/science.abq1158."},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00110"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/3643674"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER60148.2024.00051"},{"key":"e_1_3_1_45_2","unstructured":"Dwayne McDaniel. 2021. GitHub Copilot: Security and Privacy. Retrieved from https:\/\/blog.gitguardian.com\/github-copilot-security-and-privacy\/"},{"key":"e_1_3_1_46_2","unstructured":"MITRE. 2023. CWE Top 25 Most Dangerous Software Errors 2023. Retrieved from https:\/\/cwe.mitre.org\/top25\/archive\/2023\/2023_top25_list.html"},{"key":"e_1_3_1_47_2","unstructured":"MITRE. 2024. Common Weakness Enumeration (CWE) Data. Retrieved from https:\/\/cwe.mitre.org\/data\/index.html"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3613904.3641936"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/AICAI.2019.8701341"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2024.3355713"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3524842.3528470"},{"key":"e_1_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1007\/s40279-017-0824-x."},{"key":"e_1_3_1_53_2","unstructured":"OpenAI. 2021. Introducing Codex: The AI Behind GitHub Copilot. Retrieved from https:\/\/openai.com\/blog\/openai-codex"},{"key":"e_1_3_1_54_2","unstructured":"Stack Overflow. 2024. Stack Overflow Developer Survey 2024: Most Popular Technologies (AI Search Dev). Retrieved from https:\/\/survey.stackoverflow.co\/2024\/technology#most-popular-technologies-ai-search-dev"},{"key":"e_1_3_1_55_2","unstructured":"OWASP. 2024. Source Code Analysis Tools. Retrieved from https:\/\/owasp.org\/www-community\/Source_Code_Analysis_Tools"},{"key":"e_1_3_1_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833571"},{"key":"e_1_3_1_57_2","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623157"},{"key":"e_1_3_1_58_2","unstructured":"PubNub. 2024. JavaScript: The Complete Guide for Front-End Development. Retrieved from https:\/\/www.pubnub.com\/guides\/javascript\/"},{"key":"e_1_3_1_59_2","unstructured":"Rohith Pudari and Neil A. Ernst. 2023. From copilot to pilot: Towards AI supported software development. arXiv:2303.04142. Retrieved from https:\/\/arxiv.org\/abs\/2303.04142"},{"key":"e_1_3_1_60_2","unstructured":"PyCQA. 2024. Bandit: A Security Linter for Python. Retrieved from https:\/\/github.com\/PyCQA\/bandit"},{"key":"e_1_3_1_61_2","unstructured":"Meghan Reichenbach. 2022. Python vs. JavaScript: Which Should You Learn? Retrieved from https:\/\/blog.boot.dev\/python\/python-vs-javascript\/"},{"key":"e_1_3_1_62_2","first-page":"149","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID)","author":"Rokon Md Omar Faruk","year":"2020","unstructured":"Md Omar Faruk Rokon, Risul Islam, Ahmad Darki, Evangelos E. Papalexakis, and Michalis Faloutsos. 2020. SourceFinder: Finding malware source-code from publicly available repositories in GitHub. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID). USENIX, 149\u2013163."},{"key":"e_1_3_1_63_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-008-9102-8"},{"key":"e_1_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3188720"},{"key":"e_1_3_1_65_2","unstructured":"Gustavo Sandoval Hammond Pearce Teo Nys Ramesh Karri Brendan Dolan-Gavitt and Siddharth Garg. 2022. Security implications of large language model code assistants: A user study. arXiv:2208.09727. Retrieved from https:\/\/arxiv.org\/abs\/2208.09727"},{"key":"e_1_3_1_66_2","unstructured":"Advait Sarkar Andrew D. Gordon Carina Negreanu Christian Poelitz Sruti Srinivasa Ragavan and Ben Zorn. 2022. What is it like to program with artificial intelligence? arXiv:2208.06213. Retrieved from https:\/\/arxiv.org\/abs\/2208.06213"},{"key":"e_1_3_1_67_2","unstructured":"Xinyu She Yue Liu Yanjie Zhao Yiling He Li Li Chakkrit Tantithamthavorn Zhan Qin and Haoyu Wang. 2023. Pitfalls in language models for code intelligence: A taxonomy and survey. arXiv:2310.17903. Retrieved from https:\/\/arxiv.org\/abs\/2310.17903"},{"key":"e_1_3_1_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM55253.2022.00014"},{"key":"e_1_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3549035.3561184"},{"key":"e_1_3_1_70_2","unstructured":"Simplilearn. 2024. Applications of Python (Explained with Examples). Retrieved from https:\/\/www.simplilearn.com\/what-is-python-used-for-article"},{"key":"e_1_3_1_71_2","unstructured":"Snyk. 2024. Snyk Code: Secure Your Code as You Develop. Retrieved https:\/\/snyk.io\/product\/snyk-code"},{"key":"e_1_3_1_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3512290.3528700"},{"key":"e_1_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380441"},{"key":"e_1_3_1_74_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2012.6405289"},{"key":"e_1_3_1_75_2","unstructured":"The MITRE Corporation. 2023. CWE VIEW: Software Development. Retrieved from https:\/\/cwe.mitre.org\/data\/definitions\/699.html"},{"key":"e_1_3_1_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2871058"},{"key":"e_1_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR59073.2023.00084"},{"key":"e_1_3_1_78_2","first-page":"1","volume-title":"40th ACM Conference on Human Factors in Computing Systems (CHI)","author":"Vaithilingam Priyan","year":"2022","unstructured":"Priyan Vaithilingam, Tianyi Zhang, and Elena L. Glassman. 2022. Expectation vs. experience: Evaluating the usability of code generation tools powered by large language models. In 40th ACM Conference on Human Factors in Computing Systems (CHI). ACM, 1\u20137."},{"key":"e_1_3_1_79_2","first-page":"241","volume-title":"1st International Joint Conference on Artificial Intelligence (IJCAI)","author":"Waldinger Richard J.","year":"1969","unstructured":"Richard J. Waldinger and Richard C. T. Lee. 1969. PROW: A step toward automatic program writing. In 1st International Joint Conference on Artificial Intelligence (IJCAI). ACM, 241\u2013252."},{"key":"e_1_3_1_80_2","unstructured":"Jules White Quchen Fu Sam Hays Michael Sandborn Carlos Olea Henry Gilbert Ashraf Elnashar Jesse Spencer-Smith and Douglas C. Schmidt. 2023. A prompt pattern catalog to enhance prompt engineering with chatgpt. arXiv:2302.11382. Retrieved from https:\/\/arxiv.org\/abs\/2302.11382"},{"key":"e_1_3_1_81_2","unstructured":"Dakota Wong Austin Kothig and Patrick Lam. 2022. Exploring the verifiability of code generated by github copilot. arXiv:2209.01766. Retrieved from https:\/\/arxiv.org\/abs\/2209.01766"},{"key":"e_1_3_1_82_2","unstructured":"Burak Yeti\u015ftiren I\u015f\u0131k \u00d6zsoy Miray Ayerdem and Eray T\u00fcz\u00fcn. 2023. Evaluating the code quality of AI-assisted code generation tools: An empirical study on GitHub copilot Amazon CodeWhisperer and ChatGPT. arXiv:2304.10778. Retrieved from https:\/\/arxiv.org\/abs\/2304.10778"},{"key":"e_1_3_1_83_2","doi-asserted-by":"publisher","DOI":"10.1145\/3558489.355907"},{"key":"e_1_3_1_84_2","unstructured":"Xiao Yu Lei Liu Xing Hu Jacky Wai Keung Jin Liu and Xin Xia. 2024. Where are large language models for code generation on GitHub? arXiv:2406.19544. Retrieved from https:\/\/arxiv.org\/abs\/2304.10778"},{"key":"e_1_3_1_85_2","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194023410048"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3716848","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T13:43:27Z","timestamp":1759758207000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3716848"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,6]]},"references-count":84,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2025,11,30]]}},"alternative-id":["10.1145\/3716848"],"URL":"https:\/\/doi.org\/10.1145\/3716848","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,6]]},"assertion":[{"value":"2024-03-23","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-10-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}