87% of AI-Generated Code Projects Have Security Issues, Report Finds Massive Quality Gaps
Key Takeaways
- ▸87% of AI-generated projects have at least one security finding; only 56 of 424 projects were completely clean
- ▸GitHub Copilot and Bolt produce ~50% fewer issues than Lovable and v0 (roughly 8–9 vs 15–16 issues per 1,000 lines)
- ▸14% of projects shipped with leaked secrets or hardcoded credentials, posing significant deployment risks
Summary
A comprehensive analysis of 21.6 million lines of AI-generated code has revealed stark differences in software quality across leading AI code generation platforms. Quality Clouds Hub scanned 424 public projects built with Lovable, Bolt, v0, and GitHub Copilot, uncovering 346,944 issues—approximately one vulnerability or bug every 62 lines of code. The findings paint a troubling picture: 87% of projects have at least one security finding, and 14% shipped with leaked secrets or hardcoded credentials.
The report revealed a dramatic quality divide between platforms. GitHub Copilot and Bolt produce roughly half the issue density of v0 and Lovable, and a third to a half of their security-issue density. Lovable projects carry a median of 644 issues—roughly 4.5 times higher than other platforms—with only 2 of 183 Lovable projects found to be completely clean. A particularly concerning pattern emerged with Supabase-backed applications, which showed 2.4x higher security issue density due to client-side exposure patterns like public bucket configurations and service-role key leaks.
The most significant finding is the concentration of high-severity issues around a single architectural failure: async operations without error handling. This issue appears in 79% of projects and accounts for nearly 70% of all high-severity findings, suggesting that a handful of common architectural mistakes drive most quality degradation.
- Supabase-backed applications have 2.4x higher security issue density due to client-side exposure patterns
- Async operation error handling failures account for ~70% of all high-severity findings, indicating a major architectural blind spot
Editorial Opinion
This report demonstrates that AI-generated code cannot be considered production-ready without substantial human review and remediation. The stark performance differences between platforms—particularly GitHub Copilot's success when paired with human oversight versus Lovable's struggles with fully automated generation—strongly suggest that human-in-the-loop approaches are essential for real-world deployment. However, the report also offers cause for optimism: the fact that quality varies so dramatically indicates that architectural choices and training methodologies matter greatly, meaning better AI code generators are achievable. Organizations considering AI code generation for sensitive systems should demand security audits and treat the output as unvetted proof-of-concept, not production-ready code.



