{"id":103933,"date":"2025-09-23T00:05:00","date_gmt":"2025-09-22T22:05:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=103933"},"modified":"2025-12-30T21:23:41","modified_gmt":"2025-12-30T19:23:41","slug":"why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/","title":{"rendered":"Why an AI Code Generator Can&#8217;t Secure Its Own Code. And Why Checkmarx Assist Can."},"content":{"rendered":"<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">The person who writes the code shouldn\u2019t be the one who signs off on its security<\/h2>\n\n\n\n<p>As GenAI tools revolutionize how code is written, engineering leaders face a new wave of questions.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Is AI-generated code safe?<\/li>\n\n\n\n<li>Who\u2019s reviewing what GenAI suggests?<\/li>\n\n\n\n<li>Can the tool that generated the code be trusted to validate it?<br>\n<\/li>\n<\/ul>\n\n\n\n<p>According to a <a href=\"https:\/\/checkmarx.com\/report-idc-marketscape-for-aspm-2025\/\">2025 IDC report<\/a>, the behavioral pattern of \u201cvibe coding,\u201d in which developers are using AI assistants, is a catalyst for increasingly accepting code with limited scrutiny and prioritizing speed over validation. While GenAI undeniably boosts developer productivity, this shift introduces real security risks. \u201cDevelopers assemble or accept code with limited scrutiny,\u201d Katie Norton, IDC.<br><\/p>\n\n\n\n<p>It\u2019s not just a theory, it\u2019s happening at scale.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>Model<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>Correct &amp; Secure<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>Correct Only<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>% Insecure of Correct<\/strong><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">OpenAI g3<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">47.8%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">51.6%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">26.7%<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">Claude 3 Sonnet<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">40.7%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">52.1%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">24.1%<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">GPT-4.1<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">41.1%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">55.1%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">25.6%<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">Gemini 1.5 Pro<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">33.8%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">60.2%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">21.4%<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<p class=\"has-text-align-center\"><em>https:\/\/baxbench.com\/ June 2025<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">The Rise of \u201cVibe Coding,\u201d and Why It\u2019s a Problem&nbsp;<br><a id=\"_msocom_1\"><\/a>\n<\/h2>\n\n\n\n<p><a href=\"https:\/\/my.idc.com\/getdoc.jsp?containerId=US52577524\">DC\u2019s 2024 Generative AI Developer Study<\/a> reports that developers using GenAI tools achieve a 35% productivity boost, often matching the output of 3\u20135 engineers. However, many of those AI-assisted outputs are deposited in the repository unchecked, some of which are insecure, some noncompliant, and some outright dangerous.<br>&nbsp;<br>This risk is also validated by independent security benchmarks. In tests across multiple large language model developer assistants, up to 70% of AI-generated code was found to be insecure or flawed when evaluated using secure coding baselines (source: June 2025 <a>BaxBench, 2025<\/a>&nbsp;). At the same time, enterprise adoption is accelerating, with analysts projecting that 90% of enterprise engineers will use GenAI tools by 2028. Code volume is exploding, but validation isn\u2019t keeping pace.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Code Generators Aren\u2019t Built to Be Code Reviewers<\/h2>\n\n\n\n<p>Tools that generate code excel at accelerating development. They scaffold boilerplate, offer real-time completions, and help developers explore frameworks. But they weren\u2019t built to perform secure code validation.<\/p>\n\n\n\n<p>They don\u2019t:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce your AppSec policies<\/li>\n\n\n\n<li>&nbsp;Validate against known CVEs or malicious dependencies<\/li>\n\n\n\n<li>&nbsp;Assess license compliance<\/li>\n\n\n\n<li>&nbsp;Create audit trails or enforce remediation workflows<\/li>\n\n\n\n<li>&nbsp;Block risky commits based on code context<\/li>\n<\/ul>\n\n\n\n<p>Even GitHub makes it clear: Copilot suggests code but doesn\u2019t secure it. Most GenAI tools optimize for speed, not secure validation, policy enforcement, or risk oversight. Even when layered with basic guardrails, they can\u2019t guarantee protection at the scale or specificity required in real-world CI\/CD environments.<\/p>\n\n\n\n<p>AI code generation is creative; secure software demands consistency, not improvisation. The recent IDC Report puts it clearly: \u201cAs AI becomes part of the development process itself, organizations must adapt their security practices to keep pace with faster and less predictable workflows.\u201d Security can\u2019t be tacked on as an afterthought or handled by the same tool that wrote the code in the first place.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\"><strong>Checkmarx Assist: Agentic AI That Acts, Not Just Suggests<\/strong><\/h2>\n\n\n\n<p>If you want your AppSec to be autonomous and proactive, this is where Checkmarx One Assist comes in. Unlike generative tools that suggest code, Checkmarx Assist is agentic AI built on the Checkmarx One platform, designed to evaluate, enforce, and remediate based on trusted security intelligence and organizational policy.<\/p>\n\n\n\n<p>With Checkmarx Assist, you have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;Vulnerability detection directly in the IDE (even before code is committed)<\/li>\n\n\n\n<li>&nbsp;Fix suggestions enriched with context and guided explanations<\/li>\n\n\n\n<li>&nbsp;Auto-generated, compliant pull requests<\/li>\n\n\n\n<li>&nbsp;Security actions aligned to policy, with audit trails and platform-wide oversight<\/li>\n<\/ul>\n\n\n\n<p>And it\u2019s not just one agent, it&#8217;s family:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developer Assist Agent: Works in the IDE to secure code pre-commit<\/li>\n\n\n\n<li>&nbsp;Policy Assist Agent: Applies AppSec rules and gates across the CI\/CD<\/li>\n\n\n\n<li>&nbsp;Insights Assist Agent: Surfaces metrics like MTTR, risk posture, and fix rates<\/li>\n<\/ul>\n\n\n\n<p>These capabilities are built on top of Checkmarx\u2019s proven AppSec engines (SAST, SCA, IaC, and Secrets) and backed by a threat intelligence network that monitors over 400,000 known malicious packages.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Separation of Duties: Still Non-Negotiable in AppSec<\/h2>\n\n\n\n<p>You wouldn\u2019t let a developer merge their own PR without a second pair of eyes. You wouldn\u2019t let your accounting team audit their own numbers. If GenAI is the author, it shouldn\u2019t be the reviewer. Checkmarx <\/p>\n\n\n\n<p>Assist gives your team the security partner it needs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A second set of eyes<\/li>\n\n\n\n<li>&nbsp;Independent risk detection<\/li>\n\n\n\n<li>&nbsp;Policy-enforced action<\/li>\n\n\n\n<li>&nbsp;Full coverage across the SDLC<\/li>\n<\/ul>\n\n\n\n<p>Organizations using Checkmarx Assist report fewer vulnerabilities, higher remediation rates, and improved DORA metrics, such as lead time and change failure rate, without slowing delivery velocity.<\/p>\n\n\n\n<p>Checkmarx One Assist not only remediates security issues like malicious packages and secrets in real time, it also suggests surrounding code fixes to resolve any breaking changes caused by the remediation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">What the Data Tells Us: Real ROI From Risk Reduction<\/h2>\n\n\n\n<p>Security is measurable, and the numbers speak volumes.<\/p>\n\n\n\n<p>When teams rely solely on GenAI code assistants, they may accelerate output but miss critical context, governance, and enforcement. The results can be costly. From rework and regression to unpatched vulnerabilities and license violations, the downstream risks add up fast.<\/p>\n\n\n\n<p>That\u2019s why Checkmarx Assist was benchmarked not only for its security precision, but for its impact on real-world development and remediation economics.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Vulnerability Remediation<\/h3>\n\n\n\n<p>Engineering teams that rely only on GenAI tools often need to manually review and correct insecure suggestions, which increases time spent and risk exposure. Weekly developer time spent remediating vulnerabilities averages around $375 per developer, and without context-aware validation, 1 in 4 fixes still introduces a security flaw.<\/p>\n\n\n\n<p>With Checkmarx Assist layered in, remediation becomes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;Faster, thanks to pre-commit detection in the IDE<\/li>\n\n\n\n<li>&nbsp;More accurate, with secure-by-default code fixes aligned to policy<\/li>\n\n\n\n<li>&nbsp;Less risky, dropping flaw rates from 25% to 5%<\/li>\n<\/ul>\n\n\n\n<p>This translates into a risk-adjusted weekly savings of over $200 per developer, while materially improving your mean-time-to-remediate (MTTR).<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody>\n<tr>\n<td><strong>Scenario<\/strong><\/td>\n<td><strong>Weekly Cost (Time)<\/strong><\/td>\n<td><strong>Security Flaw Risk per Fix<\/strong><\/td>\n<td><strong>Risk-Adjusted Weekly Cost<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Copilot Only<\/td>\n<td>$375<\/td>\n<td>25%<\/td>\n<td>$506.25<\/td>\n<\/tr>\n<tr>\n<td>Copilot + Checkmarx Assist<\/td>\n<td>$270<\/td>\n<td>5%<\/td>\n<td>$297.00<\/td>\n<\/tr>\n<tr>\n<td>Risk-Adjusted Cost<\/td>\n<td>$1,012<\/td>\n<td>$506<\/td>\n<td>$297<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Open Source Package Validation<\/h3>\n\n\n\n<p>Open source is foundational &#8211; but risky when mismanaged. License compliance violations, known-vulnerable packages, and malicious dependencies are easy to miss when code is accepted without inspection.<\/p>\n\n\n\n<p>Teams using GenAI alone spend more than an hour per evaluation, often still missing critical red flags. The cost: up to $337.50 per developer, per week in risk-adjusted impact.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>Scenario<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>Without AI<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>GenAI Only<\/strong><\/td>\n<td class=\"has-text-align-center\" data-align=\"center\"><strong>GenAI + Checkmarx Assist<\/strong><\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">Time per evaluation<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">1.5 hrs<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">1.25 hrs<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">0.5 hrs<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">License risk<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">15%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">15%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">5%<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">Malicious package risk<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">20%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">20%<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">5%<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-center\" data-align=\"center\">Risk-adjusted weekly cost<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">$405<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">$337.50<\/td>\n<td class=\"has-text-align-center\" data-align=\"center\">$110.00<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\">Close the Gap. Don\u2019t Just Hope for the Best.<\/h2>\n\n\n\n<p>If your GenAI tool is the racecar, Checkmarx Assist is the seatbelt, speedometer, and crash test validation, all built in. The result is a 67% reduction in risk-adjusted cost, along with stronger coverage and less manual overhead. These gains aren\u2019t just productivity-based, they\u2019re risk-adjusted cost reductions that reflect fewer vulnerabilities, faster fixes, and fewer post-deployment fire drills.<\/p>\n\n\n\n<p><strong>Book a demo<\/strong> of Checkmarx Assist today and see how agentic AI gives your AppSec program the visibility, control, and automation it needs to stay ahead. In an era of vibe coding and machine-speed development, your security tooling can\u2019t afford to watch from the sidelines. Empower it to act.<\/p>\n\n\n\n<p><strong>If your developers generate code with AI, consult a Checkmarx expert.<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/checkmarx.com\/request-a-demo\/\"><strong>Request a personalized demo<\/strong><\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>The person who writes the code shouldn\u2019t be the one who signs off on its security As GenAI tools revolutionize how code is written, engineering leaders face a new wave of questions. According to a 2025 IDC report, the behavioral pattern of \u201cvibe coding,\u201d in which developers are using AI assistants, is a catalyst for [&hellip;]<\/p>\n","protected":false},"author":48,"featured_media":103953,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1284,84],"tags":[1411,87,1410,89,473],"class_list":["post-103933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-llm-tools-in-application-security","category-blog","tag-ai-in-engineering","tag-appsec","tag-genai-security","tag-secure-coding","tag-software-development"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AI Code Generators vs Secure Code<\/title>\n<meta name=\"description\" content=\"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI Code Generators vs Secure Code\" \/>\n<meta property=\"og:description\" content=\"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-22T22:05:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-30T19:23:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2033\" \/>\n\t<meta property=\"og:image:height\" content=\"1016\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Ori Bendet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ori Bendet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\"},\"author\":{\"name\":\"Ori Bendet\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/e48f31f49882392cc268ba2a9a439761\"},\"headline\":\"Why an AI Code Generator Can&#8217;t Secure Its Own Code. And Why Checkmarx Assist Can.\",\"datePublished\":\"2025-09-22T22:05:00+00:00\",\"dateModified\":\"2025-12-30T19:23:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\"},\"wordCount\":1193,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp\",\"keywords\":[\"AI in Engineering\",\"AppSec\",\"GenAI Security\",\"Secure Coding\",\"Software Development\"],\"articleSection\":[\"AI &amp; LLM Tools in Application Security\",\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\",\"name\":\"AI Code Generators vs Secure Code\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp\",\"datePublished\":\"2025-09-22T22:05:00+00:00\",\"dateModified\":\"2025-12-30T19:23:41+00:00\",\"description\":\"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp\",\"width\":2033,\"height\":1016,\"caption\":\"AI Code Generators vs Secure Code blog cover\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/e48f31f49882392cc268ba2a9a439761\",\"name\":\"Ori Bendet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_48.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_48.jpg\",\"caption\":\"Ori Bendet\"},\"url\":\"https:\/\/checkmarx.com\/author\/oribendet\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI Code Generators vs Secure Code","description":"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/","og_locale":"en_US","og_type":"article","og_title":"AI Code Generators vs Secure Code","og_description":"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.","og_url":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2025-09-22T22:05:00+00:00","article_modified_time":"2025-12-30T19:23:41+00:00","og_image":[{"width":2033,"height":1016,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp","type":"image\/webp"}],"author":"Ori Bendet","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Ori Bendet","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/"},"author":{"name":"Ori Bendet","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/e48f31f49882392cc268ba2a9a439761"},"headline":"Why an AI Code Generator Can&#8217;t Secure Its Own Code. And Why Checkmarx Assist Can.","datePublished":"2025-09-22T22:05:00+00:00","dateModified":"2025-12-30T19:23:41+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/"},"wordCount":1193,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp","keywords":["AI in Engineering","AppSec","GenAI Security","Secure Coding","Software Development"],"articleSection":["AI &amp; LLM Tools in Application Security","Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/","url":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/","name":"AI Code Generators vs Secure Code","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp","datePublished":"2025-09-22T22:05:00+00:00","dateModified":"2025-12-30T19:23:41+00:00","description":"Why GenAI tools can\u2019t secure their own code - and how Checkmarx Assist bridges the gap.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/why-ai-code-generators-cant-secure-its-own-code-and-why-checkmarx-assist-can\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/github_copilot.webp","width":2033,"height":1016,"caption":"AI Code Generators vs Secure Code blog cover"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/e48f31f49882392cc268ba2a9a439761","name":"Ori Bendet","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_48.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_48.jpg","caption":"Ori Bendet"},"url":"https:\/\/checkmarx.com\/author\/oribendet\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/103933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=103933"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/103933\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/103953"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=103933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=103933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=103933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}