BotBeat
...
← Back

> ▌

GitHubGitHub
INDUSTRY REPORTGitHub2026-07-14

87% of AI-Generated Code Projects Have Security Issues, Report Finds Massive Quality Gaps

Key Takeaways

  • ▸87% of AI-generated projects have at least one security finding; only 56 of 424 projects were completely clean
  • ▸GitHub Copilot and Bolt produce ~50% fewer issues than Lovable and v0 (roughly 8–9 vs 15–16 issues per 1,000 lines)
  • ▸14% of projects shipped with leaked secrets or hardcoded credentials, posing significant deployment risks
Source:
Hacker Newshttps://github.com/qualityclouds/state-of-ai-code-2026-↗

Summary

A comprehensive analysis of 21.6 million lines of AI-generated code has revealed stark differences in software quality across leading AI code generation platforms. Quality Clouds Hub scanned 424 public projects built with Lovable, Bolt, v0, and GitHub Copilot, uncovering 346,944 issues—approximately one vulnerability or bug every 62 lines of code. The findings paint a troubling picture: 87% of projects have at least one security finding, and 14% shipped with leaked secrets or hardcoded credentials.

The report revealed a dramatic quality divide between platforms. GitHub Copilot and Bolt produce roughly half the issue density of v0 and Lovable, and a third to a half of their security-issue density. Lovable projects carry a median of 644 issues—roughly 4.5 times higher than other platforms—with only 2 of 183 Lovable projects found to be completely clean. A particularly concerning pattern emerged with Supabase-backed applications, which showed 2.4x higher security issue density due to client-side exposure patterns like public bucket configurations and service-role key leaks.

The most significant finding is the concentration of high-severity issues around a single architectural failure: async operations without error handling. This issue appears in 79% of projects and accounts for nearly 70% of all high-severity findings, suggesting that a handful of common architectural mistakes drive most quality degradation.

  • Supabase-backed applications have 2.4x higher security issue density due to client-side exposure patterns
  • Async operation error handling failures account for ~70% of all high-severity findings, indicating a major architectural blind spot

Editorial Opinion

This report demonstrates that AI-generated code cannot be considered production-ready without substantial human review and remediation. The stark performance differences between platforms—particularly GitHub Copilot's success when paired with human oversight versus Lovable's struggles with fully automated generation—strongly suggest that human-in-the-loop approaches are essential for real-world deployment. However, the report also offers cause for optimism: the fact that quality varies so dramatically indicates that architectural choices and training methodologies matter greatly, meaning better AI code generators are achievable. Organizations considering AI code generation for sensitive systems should demand security audits and treat the output as unvetted proof-of-concept, not production-ready code.

Generative AIAI AgentsData Science & AnalyticsCybersecurityMarket Trends

More from GitHub

GitHubGitHub
RESEARCH

Enterprise Doubles Developer Productivity with AI Coding Tools: Longitudinal Study Shows 2.09x Throughput Gains

2026-07-14
GitHubGitHub
RESEARCH

New HalluSquatting Attack Could Turn AI Coding Assistants Into Massive Botnets

2026-07-08
GitHubGitHub
RESEARCH

GitLost: Security Researchers Expose AI Agent Vulnerability Enabling Private Repository Disclosure

2026-07-08

Comments

Suggested

PromptEvalPromptEval
RESEARCH

Benchmark Study Reveals Critical Robustness Gap in AI Prompts: Average Score 31/100

2026-07-14
AI Industry (Analysis & Commentary)AI Industry (Analysis & Commentary)
POLICY & REGULATION

New York Becomes First State to Pause Data Center Construction, Imposing One-Year Moratorium

2026-07-14
PangramPangram
INDUSTRY REPORT

Study Reveals 41% of LinkedIn Longform Content Is AI-Generated

2026-07-14
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us