5 security patterns GitHub Copilot generates that no linter catches

#ai #github #security #python

I've been scanning AI-generated codebases for the past month. Here are 5 patterns that appear most often and slip past every standard tool.

1. MISSING_WRITE — The function that saves nothing

def save_payment(payment_data: dict) -> dict:
    validated = validate(payment_data)
    return {"status": "saved", "id": generate_id()}
    # No INSERT. No UPDATE. Payment gone.

2. FAKE_ASYNC — async with zero awaits

async def fetch_orders(user_id: str) -> list:
    conn = psycopg2.connect(DATABASE_URL)  # blocking — defeats async entirely
    return conn.execute("SELECT * FROM orders WHERE user_id = %s", [user_id]).fetchall()

3. INPUT_OUTPUT_DISCONNECTED — Parameters that don't affect output

def calculate_discount(user_id: str, purchase_amount: float) -> float:
    return 0.10  # always 10%, inputs ignored

4. DEAD_CALL_RESULT — Module results that are ignored

def process_order(order_id: str) -> dict:
    validate_order(order_id)      # result ignored
    check_inventory(order_id)     # result ignored — out of stock? doesn't matter
    reserve_items(order_id)       # result ignored
    return {"status": "processing"}

5. STUB_SKELETON — Returns True for everything

def authenticate_user(username: str, password: str) -> bool:
    return True  # everyone is authenticated

Scan for all of these

curl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \
  -H "X-API-Key: vg_free_test" \
  -F "file=@your_file.py"

48 patterns, 9 languages. GitHub Action: Moonsehwan/aina-vibeguard-action@v1

Which of these have you seen in your own codebase?

DEV Community