DEV Community

Cover image for How to audit and validate AI-generated code output
Megan Lee for LogRocket

Posted on • Originally published at blog.logrocket.com

How to audit and validate AI-generated code output

Written by Boemo Mmopelwa✏️

The immense frontend knowledge that AI possesses can be both intimidating and reassuring. However, AI should never be seen as a subject matter expert. It’s wise not to use AI output that you can't test or determine to be true or false.

Code generated by AI may have dependency mismanagement issues or fail to follow logic that implements security best practices. Because every developer has adopted various AI tools into their workflow, it’s important to set up technical measures and processes that audit AI-generated code.

In this article, you will learn about security vulnerabilities and design flaws that can be introduced by code components developed by AI tools. More importantly, you will learn how to set up a technical auditing process that validates code generated by AI tools.

Security and architecture design flaws caused by AI

A significant risk of using AI-generated code is the potential introduction of security vulnerabilities and architectural flaws. This section will discuss issues developers should look out for when using AI-generated code.

Failure to follow security coding guidelines

Many coding guidelines are set by different security standards, such as the NSA. AI code generators focus on writing code that accomplishes a given task. It may fail when it comes to ensuring that the generated code is secure. An example can be when an AI tool hardcodes secrets.

However, the most relevant security issue that AI can fall into is using outdated concepts or technologies. The reason why AI is susceptible to this security issue is that the datasets used to train AI aren't regularly updated. If a certain library gets declared as obsolete because of data leaks, AI will continue using the obsolete library until its datasets are updated.

Using AI-generated code that is not scanned for any outdated libraries and concepts puts your application at risk of exploitation. Below is an example of outdated code that uses the old, insecure SHA-1 hashing algorithm that has since been deprecated. Outdated hashing algorithms are not effective at encrypting passwords against cyberattacks:

using System.Security.Cryptography;
using System.Text;

public string HashPassword(string password) {
    SHA1 sha1 = SHA1.Create();
    byte[] inputBytes = Encoding.ASCII.GetBytes(password);
    byte[] hashBytes = sha1.ComputeHash(inputBytes);
    return Convert.ToBase64String(hashBytes);
}
Enter fullscreen mode Exit fullscreen mode

Data quality issues

AI isn't as flexible as human developers. The quality of the generated code is determined by the AI model's training data. If a human developer thinks that the current data quality is bad, they can explore unlimited options and even get new insights that AI doesn't have.

Additionally, there are cases where AI outputs stellar code, but the code has been retrieved from a public GitHub repository. Using a licensed code for commercial purposes or reproducing licensed products can get you into endless lawsuits!

Why is it easy to fall for AI insecurities?

Many factors lead developers to blindly trust AI outputs, despite their potential flaws:

  • Strict project deadlines: When developers are trying to deliver projects on time amid endless bugs, shortcuts and cheap solutions are implemented instead of long-lasting solutions. AI code generators offer those shortcut solutions. AI tools can offer a solution to most errors you encounter. However, solving errors only removes the red warnings from the code and compiler — it does not mean that the insecurities or vulnerabilities have been eliminated
  • AI overreliance: The ChatGPT website warns, “ChatGPT can make mistakes. Check important info.” AI is not a tool on which any developer should completely rely. It is easy to fall into the trap of believing that AI knows everything because it can offer many details on a certain topic. Sure, AI offers more information than we do. But information is not the same as skill! Not having enough skill or knowledge on a topic can lead to a developer's over-reliance on AI
  • Lack of adequate knowledge of the AI tool being used: AI tools like ChatGPT have limitations. For example, ChatGPT is not always up to date with emerging software concepts. It's important to know the weaknesses of the AI tool you’re using to use it appropriately

How to audit and validate AI-generated code output

Below are validating concepts that you should be familiar with and implement when using code generated by AI.

Checking knowledge cut-off to detect hallucination

The best way to predict when an AI code generator will hallucinate or generate biased content is by checking its knowledge cut-off. A knowledge cut-off indicates the last date the model was updated. Any discoveries or events that happen after the cut-off are not known to the model. For example, the cutoff knowledge for GPT 4-Turbo is December 2023 at the time of writing.

Although these AI tools can obtain new information by searching the web, this does not mean that they are in the best position to code or implement a new technological concept. The image below shows ChatGPT searching the web for information it doesn't have after its knowledge cutoff date: ChatGPT Demonstrating Its Knowledge Cutoff

So, how is the knowledge cutoff helpful and important to a frontend developer? This is important when asking an AI coding tool to generate code or UI components using the latest libraries or new JavaScript framework version.

For example, I asked the ChatGPT 4o model to implement the new Document Metadata in React 19, which was released in April 2024. Because the 4o model knowledge cutoff was last year, the model hallucinated when it imported the useMetadata Hook, which was not introduced in React 19: ChatGPT Responding About React's Document Metadata Release, With An Incorrect Response About A Nonexistent Hook

Earlier on, I mentioned that these AI coding tools can get new knowledge beyond the knowledge cut-off by searching the web. Well, in this hallucination case where ChatGPT uses the useMetadata Hook (that doesn't exist in React), it turns out that ChatGPT fetched the hook from the Thirdweb website.

Document standard validation

One of the reasons why AI models don't add sufficient comments or package documentation in the file is that they aren't generating code that will be reviewed by multiple developers. Generally, they are creating documentation for a user who understands the codebase. The AI doesn't know when the generated components are too complex and will need to be explained with comments, and the AI also doesn’t know when the code is too simple and shouldn’t be explained.

AI can learn how to write better comments for your projects, but it has to be trained. However, not every developer is well-equipped to train these models or has the time to do so.

To ensure that Javascript Documentation (JSDoc) standards are followed, install the ESLint tool. This tool not only lints JavaScript code but also scans JavaScript documentation and identifies missing comments and informal documentation patterns. Install ESLint using the following command:

npm install --save-dev eslint
Enter fullscreen mode Exit fullscreen mode

Next, install the JSDoc linter plugin:

npm install --save-dev eslint-plugin-jsdoc
Enter fullscreen mode Exit fullscreen mode

Scan your file with the AI-generated documentation using the following command:

npx eslint project-dir/ your-file.js
Enter fullscreen mode Exit fullscreen mode

Audit obsolete libraries

Frontend projects are highly dependent on built-in and third-party libraries. Every project imports multiple libraries that add functionality and customization to the application. Libraries can be very helpful but are dangerous when obsolete.

Because AI is determined by its knowledge cut-off, it’s prone to adding outdated dependencies. Therefore, it is important to run npm audit when integrating AI-generated code into your application codebase. The npm audit command lists all the vulnerabilities found in the obsolete library or dependency. After detecting the vulnerabilities, use npm audit fix to eliminate vulnerabilities and find an update for the obsolete library.

Codebase contextual relevance

When using AI code generators, keep in mind that the AI models are only limited to the algorithmic patterns they were trained on. They may not fully grasp certain requirements, business logic, and unique patterns used in your application. This limited understanding leads to AI generating code that does not align with your application’s needs.

AI tools can generate code that has function isolation issues. Function isolation means that the functions created don’t utilize any project libraries or call any project functions. That’s why AI-generated code has to be refactored to make it relevant to the codebase unless the AI tool can read the entire codebase and understand all functions.

Isolated functions offer little to no value to the application as they can be removed and no service is broken. Isolated functions mostly use hardcoded values and configurations. They are hard to be reused. Below is an example of isolated code:

// Irrelevant - Direct database access, bypassing the service layer
async function getUserData(id) {
    return db.query(`SELECT * FROM users WHERE id = ${id}`);
}

// Relevant - Adheres to project's architecture
async function getUserData(id) {
    return userService.getUserById(id);  // Uses service layer abstraction
Enter fullscreen mode Exit fullscreen mode

Issues of codebase context irrelevance can arise from functions that don’t adhere to project-specific naming conventions, formatting, and comment styles. To identify and address these architectural flaws caused by codebase context irrelevance, consider using a static analysis tool. Many modern-day testing platforms and static testing tools, such as SonarSource, have been optimized and trained to fix AI code-generated issues.

Conclusion

Although AI has completely disrupted the developer workflow, it continues to become more necessary to use AI code-generation tools. In order to do so effectively, follow the steps we’ve outlined in this tutorial to validate that the AI-generated code you’re working with is secure enough to be added to your app’s codebase. Validating AI code reduces code errors and ensures that code is compliant. Then, you can feel comfortable using AI to automate code tasks like the following:


Get set up with LogRocket's modern error tracking in minutes:

  1. Visit https://logrocket.com/signup/ to get an app ID.
  2. Install LogRocket via NPM or script tag. LogRocket.init() must be called client-side, not server-side.

NPM:

$ npm i --save logrocket 

// Code:

import LogRocket from 'logrocket'; 
LogRocket.init('app/id');
Enter fullscreen mode Exit fullscreen mode

Script Tag:

Add to your HTML:

<script src="https://cdn.lr-ingest.com/LogRocket.min.js"></script>
<script>window.LogRocket && window.LogRocket.init('app/id');</script>
Enter fullscreen mode Exit fullscreen mode

3.(Optional) Install plugins for deeper integrations with your stack:

  • Redux middleware
  • ngrx middleware
  • Vuex plugin

Get started now

Top comments (0)