Software engineers’ ideal state includes being able to work with minimal disruption. This “flow state” is when they are most productive and have the best chance of delivering the products and features they are tasked with producing within the required timeline. Whenever something adversely impacts their flow state productivity, mental health, and overall effectiveness may be impacted. One well known impediment to flow state is finding and fixing security coding errors. Software engineers understand the importance of this activity and would welcome novel approaches to getting this completed without impacting their work pace.    

One idea gaining a lot of momentum to enable a more optimized flow state is the use of generative AI to automatically repair software vulnerabilities. Let’s explore the pros and cons of using generative AI to fix software coding errors:


  • Scalability: Generative AI can be used to scale the remediation of software vulnerabilities, as it can automatically generate fixes for many vulnerabilities. This can help to reduce the backlog of vulnerabilities that need to be fixed, and it can also help to ensure that vulnerabilities are fixed quickly.
  • Accuracy: Generative AI can be trained on a large dataset of secure code, which can help to ensure that the generated fixes are accurate. This can help to reduce the risk of introducing new vulnerabilities into the code when it is fixed.
  • Efficiency: Generative AI can be used to automate the process of fixing software vulnerabilities, which can help to save time and resources. This can be especially beneficial for organizations that have many vulnerabilities to fix.


  • Complexity: Generative AI can be complex to implement and use. This is because it requires a large dataset of secure code to train the model, and it also requires a deep understanding of the code that is being fixed.
  • Trustworthiness: There is some concern that generative AI may not be trustworthy enough to be used to fix software vulnerabilities. This is because the model can be trained on malicious code, which could lead to the generation of insecure fixes.
  • Bias: Generative AI models can be biased, which means that they may generate fixes that are not representative of all possible solutions. This can be a problem if the model is not trained on a diverse dataset of code.

Overall, generative AI has the potential to be a powerful tool for fixing software vulnerabilities. However, there are some challenges that need to be addressed before it can be widely adopted.

In addition to the pros and cons listed above, here are some other considerations to keep in mind when considering generative AI to fix software vulnerabilities:

  • The quality of the training data: The quality of the training data is critical to the accuracy of the generated fixes. The data should be representative of the code that will be fixed, and it should be free of malicious code.
  • The complexity of the vulnerabilities: Generative AI is not always able to fix complex vulnerabilities. In these cases, human intervention may be required to complete the fix.
  • The security of the model: The model should be secure to prevent malicious actors from injecting malicious code into the training data.

Despite the challenges, generative AI has the potential to revolutionize the way software vulnerabilities are fixed giving way to improved flow states and feedback loops while minimizing cognitive loads. As the technology matures, it is likely that generative AI will become a more widely used tool for improving software security while maximizing the productivity of engineering teams. Until then software engineering leaders should explore tools that enable their teams using predictive AI so they can quickly and accurately identify reachable and exploitable vulnerabilities in such a way that minimizes disruption of their software engineers’ flow state. 


About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now