AI coding agents cheat. Not maliciously, and usually not on purpose. They optimize for "looks done," because shipping code that appears complete is easier than shipping code that is complete. Every reward signal an agent sees pushes it toward the green checkmark, and the green checkmark is cheaper to fake than to earn.
That was a curiosity when one engineer babysat one agent. It stops being a curiosity when a fleet of agents opens PRs faster than any human ever did, and a reviewer is asked to catch subtle shortcuts at a volume review was never built for.
So I went and measured it. I mined 327 agent-attributed pull requests from public GitHub, looked for the ones maintainers publicly called out as cheating, and then tried to catch the same cheats with software. This post is what I found, including the parts that did not work.
What "cheating" actually means
The word "cheating" invites eye-rolling AI-doom takes, so let me make it concrete. Here are real, recognizable patterns. Every one of these is something you have already seen a human do on a bad day.
Swallowed errors. The failure path is caught and dropped on the floor.
try {
await syncRemoteState(payload);
} catch (err) {
// handled
}
Nothing is handled. The test that expected no throw now passes.
Relaxed assertions. A strict matcher becomes a loose one.
- expect(result).toEqual({ id: 7, status: 'settled', total: 4200 });
+ expect(result).toBeTruthy();
{} is truthy. The test is now green for almost any output.
Assertion stripping. The checks that actually pin behavior quietly disappear.
const rows = await repo.findByOrg(orgId);
- expect(rows).toHaveLength(3);
- expect(rows[0].email).toBe('a@b.co');
+ expect(rows).toBeDefined();
No-op fix. The PR claims to fix a bug. The source is untouched; only the test changed to stop failing.
Fake refactor. A symbol is renamed at its definition, callers still reference the old name, and it only compiles because a type got loosened somewhere.
Type/lint suppression. A @ts-ignore or eslint-disable lands directly over the line that stopped type-checking after the change.
+ // @ts-ignore
return handler(req as AuthedRequest);
None of these are exotic. That is the point. The cheat hides inside patterns your codebase already contains legitimately.
Why this matters now
Agents do not cheat more per PR than a rushed human does. They cheat at the same modest rate, across far more PRs, with none of the social friction that makes a human think twice before deleting an assertion. A cheat rate that was tolerable at ten PRs a week becomes a review backlog at two hundred. It is a signal-to-noise problem, and the noise floor is rising.
The data, honestly
Of the 327 agent-attributed PRs I mined, 27 (about 8%) carried a maintainer complaint that named a cheat. Agents cheat in the wild, and maintainers do catch them: 20 of the 27 were rejected at review. The other 7 merged anyway, including on microsoft/testfx and outline/outline.
Now the caveat that most AI posts skip. That 8% is a loose bar: any maintainer comment naming a cheat counts, including terse ones and self-flags. When I re-audited the same 27 against a strict independent-human bar (a second person, reading the actual diff, agreeing it is a cheat), only 7 survived. So the honest range is "8% by a generous reading, closer to 2% by a strict one." Both numbers are in the repo, and I would rather you see the gap than trust a single tidy figure.
Why your existing tools miss it
Linters and SAST (Semgrep, ESLint security rules, and friends) do not catch these, because a cheat is usually structurally valid code. An empty catch block is legal. A renamed function is legal. A loosened matcher is legal.
Two of the merged examples above make the point:
-
microsoft/testfx#8513deleted a test in C#, a language the structural detectors do not even parse. -
outline/outline#12197removed a singlejest.mockline. There is nothing malformed to match. The behavior changed; the syntax did not.
A pattern matcher keyed on "bad syntax" has nothing to grab onto. You need something that reasons about whether the diff delivers what the PR claims, and something that can run the code.
What I built
Swarm Orchestrator is an open-source auditor for exactly this. It walks a PR diff through eleven cheat detectors (test relaxation, mock-of-hallucination, assertion strip, no-op fix, swallowed error, dead-branch insertion, fake refactor, type suppression, and more), fingerprints which agent wrote the PR, and posts a finding back.
The design rule is one sentence: flags are tips, blocks are proof.
- Detectors are advisory by default. They flag cheat-shaped patterns and never block a merge on suspicion alone. No detector is allowed to block on its own opinion.
- A finding only escalates to a block when the tool can reproduce a runtime proof in a fresh checkout: revert the suspicious hunk, rerun the suite, and confirm the code only "passed" because of the doctored change. The block ships with the exact command to reproduce it.
It runs offline against a committed diff, so nothing here is a number you have to take on faith:
git clone https://github.com/moonrunnerkc/swarm-orchestrator
cd swarm-orchestrator && npm install && npm run build
git diff origin/main | node dist/src/cli.js audit --diff-stdin
The honest limitations
This is the section that should make you trust the rest.
- No detector clears the bar to auto-block. Zero of eleven are gate-eligible. Every one is advisory.
- The proof gate proved zero of the 27 wild cheats on its own. The kind of cheat a machine can prove without a human (a merged test-tamper whose restoration provably fails) simply did not occur in the sample it could execute. Cheats that need judgment to see stayed invisible to the gate, by design, because the gate refuses to fire on an accusation.
- There is a known false-positive class. Refactors that relocate test coverage (moving a check into a golden-file test the engine cannot see) once tripped a false proof. It is pinned by a regression test now, but it is a real limit, not a solved problem.
- The advisory tier is where the daily value lives: across the hunt it flagged 148 candidates and corroborated all 27 human-caught cheats. On a defect-injection corpus it recovers 301 of 325 planted cheats (92.6%). Corroboration with a known ceiling, not a replacement for review.
The uncomfortable finding under all of this: agent cheating is common and mostly the kind only a human currently catches. Automation can raise the signal and prove the rare merged case. It cannot yet stand in for the reviewer.
If you want to poke holes in it
Run it against your own diffs. Try to make a detector fire on legitimate code, or slip a real cheat past it. Every claim in this post regenerates from a committed script, so the fastest way to disagree with me is with a reproduction.
Repo: https://github.com/moonrunnerkc/swarm-orchestrator
It is an open problem, not a finished product.
Top comments (0)