With more developers using AI coding assistants, I have been seeing an uptick in classic vulnerability patterns sneaking into codebases — not because developers forgot, but because the AI generated plausible-looking code with subtle security holes.
Here is the free tool stack I recommend for catching these:
Language-agnostic:
- semgrep — write custom rules or use the community ruleset. Catches OWASP Top 10 patterns across Python, JS, Go, Java, Ruby. The
p/security-auditandp/owasp-top-tenrulesets are excellent starting points.
Python:
- bandit — finds common security issues (eval, exec, shell injection, hardcoded passwords, insecure crypto usage)
- safety — checks dependencies against known vulnerability databases
JavaScript/TypeScript:
- eslint-plugin-security — catches obvious issues (non-literal regex, eval, prototype pollution patterns)
- npm audit / snyk (free tier) — dependency vulnerability scanning
Shell scripts:
- shellcheck — not strictly security-focused but catches injection-prone patterns (unquoted variables, eval usage, word splitting issues)
Infrastructure:
- tfsec / checkov — Terraform and CloudFormation security scanning
- trivy — container image vulnerability scanning (also does IaC)
How to set it up:
The key is making it automatic. Use pre-commit hooks:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/PyCQA/bandit
hooks:
- id: bandit
- repo: https://github.com/koalaman/shellcheck-precommit
hooks:
- id: shellcheck
- repo: https://github.com/semgrep/semgrep
hooks:
- id: semgrep
args: ["--config", "p/security-audit"]
Run pre-commit install once and every commit gets scanned automatically. Zero discipline required after initial setup.
The AI coding hangover is real — Amazon just had an outage partly linked to insufficiently reviewed AI-generated code. These tools are the safety net.
You must log in or # to comment.