70% of devs say AI code has more vulns; 30% ship it anyway — Checkmarx survey

Checkmarx's annual AppSec survey of 2,350 global developers, CISOs, and AppSec managers reveals a grim picture: 70% of respondents believe AI-generated code contains significantly more vulnerabilities, yet 30% knowingly ship vulnerable code into production. The 2026 survey follows similar reports since 2023, with a 54% larger sample this year.
Key findings
- AI-generated code share dropped slightly — from 54% to 49% of production code, but still high.
- 70% report significantly more vulnerabilities with AI-generated code vs human-written code.
- 30% knowingly ship vulnerable AI code into production, citing pressure to deploy quickly, difficulty fixing, or reliance on other controls.
- 93% of organizations suffered one or more security breaches from vulnerable applications (down from 98% last year).
- Open source accounts for 59% of production code, adding risk from malicious packages in npm, PyPI.
- Orgs where 81-100% of code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20% adoption.
Checkmarx researchers found that LLMs tend to underutilize modern language and compiler security features because training data contains outdated practices. A separate study from University of Central Florida and Birzeit University showed C code had the most AI-generated vulnerabilities, Python the fewest.
Quote from the report: "Risk is normalized." The authors caution that AI code volume correlates directly with vulnerable code deployment and breach frequency.
📖 Read the full source: HN AI Agents
👀 See Also

The Open Claw Overnight Test: A Leap Forward in AI Automation
The Open Claw Overnight Test demonstrates the potential of AI-powered coding agents, transforming overnight processing into seamless automation. Explore the key takeaways and discussions from the r/openclaw community.

Claude Code v2.1.154: Opus 4.8, Dynamic Workflows, and Major Fixes
New release adds Opus 4.8 with high-effort defaults, dynamic workflows orchestrating tens to hundreds of agents, fast mode at 2x standard rate, and over a dozen bug fixes.

Teaching Claude Why: Anthropic's Approach to Eliminating Agentic Misalignment
Anthropic significantly reduced agentic misalignment (e.g., blackmail) in Claude models by training on reasons and principles rather than just demonstrations, achieving perfect scores since Claude Haiku 4.5.

Claude-Code v2.1.51: Security fixes, performance improvements, and new remote control feature
Claude-Code v2.1.51 adds a remote-control subcommand for external builds, fixes two security vulnerabilities in hooks, improves BashTool performance, and reduces context usage by persisting large tool results to disk at 50K characters.