In the report released on December 17, CodeRabbit said it had analyzed 470 open source GitHub pull requests including 320 AI-co-authored pull requests and 150 that were likely generated by humans alone. In the blog post introducing the report, the company said the results were, “Clear, measurable, and consistent with what many developers have been feeling intuitively: AI accelerates output, but it also amplifies certain categories of mistakes.” The report also found security issues increasing consistently in AI co-authored pull requests. While none of the noted vulnerabilities were unique to AI-generated code, they appeared significantly more often, increasing the overall risk profile of AI-assisted development. AI makes dangerous security mistakes that development teams must get better at catching, advised the report.
There were, however, some advantages with AI, said the report. Spelling errors were almost twice as common in human-authored code (18.92 vs. 10.77). This might be because human coders write far more inline prose and comments, or it could just be that developers were “bad at spelling,” the report speculated. Testability issues also appeared more frequently in human code (23.65 vs. 17.85).
Nonetheless, the overall findings indicate that guardrails are needed as AI-generated code becomes a standard part of the workflow, CodeRabbit said. Project-specific context should be provided up-front, with models accessing constraints, such as invariants, config patterns, and architectural rules. To reduce issues with readability, formatting, and naming, strict CI rules should be applied. For correctness, developers should require pre-merge tests for any non-trivial control flow. Security defaults should be codified. Also, developers should encourage idiomatic data structures, batched I/O, and pagination. Smoke tests should be done for I/O-heavy or resource-sensitive paths. AI-aware pull-request checklists should be adopted, and a third-party code review tool should be used.