Why not just use a regex linter on AI-generated code?

Regex linters trip on safe patterns — parameterized queries, schema-validated input, publishable API keys, hardened cookies, allow-listed CORS — and bury an agent in false positives. Taint analysis that proves a user-controlled source actually reaches a dangerous sink produces far fewer false alarms.

Does it replace Semgrep or CodeQL?

No. Those are deeper, broader, multi-language engines you should run for full coverage. A focused, low-false-positive, taint-backed gate is meant to run inside agent loops and pre-commit in milliseconds, alongside the big engines rather than instead of them.

Catching the security bugs AI coding agents introduce

Q: What security mistakes do AI coding agents make most?

Committed secrets, SQL injection through abstracted raw-query APIs, XSS, SSRF, path traversal, command injection, insecure deserialization, and weak JWT, CORS, and cookie configuration.

Updated 2026-06-01 · application security · static analysis

AI coding agents produce working code that is wrong in predictable ways: committed secrets, SQL injection through abstracted query APIs, XSS, SSRF, path traversal, command injection, insecure deserialization, and weak JWT/CORS/cookie settings. The way to gate this without burying the agent in false positives is taint analysis — proving a user-controlled source actually reaches a dangerous sink — with every finding ranked by confidence.

Why AI-generated code fails this way

An agent optimizes for code that runs and passes the obvious test, not for the security invariants a reviewer carries in their head. So it reaches for the convenient raw-query call, echoes user input into a response, or hardcodes a key to make the demo work. These are not random bugs; they cluster into a small, knowable set of failure classes — which is exactly what makes them gateable.

Why regex linters make it worse

The naive fix is a pattern linter, but in an agent loop that is actively harmful: it flags safe code — parameterized queries, tagged-template SQL, schema-validated input, publishable/anon API keys, hardened cookies, allow-listed CORS, pinned JWT algorithms — and the agent either drowns or learns to ignore the tool. The signal has to be trustworthy or it is noise.

What actually works inside agent loops

Real parsers, not regex — parse JS/TS/JSX/TSX, Python, and Go with real ASTs so analysis reflects the actual program structure.
Inter-procedural taint tracking — follow a user-input source across functions and files into a sink, so a finding means a real reachable path, not a coincidental keyword.
Confidence ranking — mark a finding high only when a source provably flows to the sink (or a deterministic fact like a committed secret), so a CI gate or an agent can act on the high-confidence set and ignore the rest.
Agent-native — expose the scan as an MCP tool and a machine-readable JSON mode so it runs inside the loop and in pre-commit in milliseconds.

vibecheck is a taint-backed, agent-native "safe to ship?" gate built on this approach, with published precision/recall on a labeled benchmark. Source and docs: github.com/ArisRhiannon/vibecheck.