State of the Art of the Security of Code Generated by LLMs: A Multivocal Literature Review

AI-assisted programming has gained significant traction in recent years, primarily driven by advances in large language model (LLM) technologies. This growth has resulted in the development of tools such as ChatGPT and GitHub Copilot. However, the use of AI models for code generation presents a critical challenge: The generated code is prone to security vulnerabilities, raising concerns within the domain of secure software development. This study examines the current research landscape on the security implications of LLM-generated code from a software engineering perspective. To this end, we conducted a multivocal literature review (MLR) in accordance with the guidelines outlined by Kitchenham et al. and Garousi et al. The search encompassed five academic sources: IEEE Xplore, ACM, ScienceDirect, Springer Link, and Wiley Online Library; as well as two grey literature sources: Google Scholar and Google. We supplemented the selection by means of backward and forward snowballing techniques. Through Quasi-Gold’s automated search, we identified 2796 peer-reviewed studies, from which we selected 48 primary studies. The analysis revealed seven distinct categories of security vulnerabilities in LLM-generated code, six mitigation strategies and best practices, and four tools recommended for improving security in AI-assisted coding. While research on this issue remains in its early stages, initial findings highlight the need for caution when integrating AI-powered code generation into software development, as it may introduce vulnerabilities at a higher rate than human-written code. The vulnerabilities, mitigation strategies, and tools identified in this study can serve as valuable resources for developers seeking to use LLM-based programming assistants more securely and responsibly.