The headline number is uncomfortable: 87%. That’s the share of pull requests containing at least one security vulnerability when AI coding agents — Claude Code, OpenAI Codex, and Google Gemini — were used to build real applications from scratch. That’s the finding from DryRun Security’s inaugural Agentic Coding Security Report, published this week and already making waves through security and developer communities.

This isn’t a synthetic benchmark. DryRun tested three leading AI coding agents building two real applications each, generating approximately five pull requests per agent. The result: 143 total vulnerabilities documented across 30 pull requests. Nearly nine out of ten PRs had at least one problem. The two leading failure modes were access control gaps and improper token handling.

What the Study Actually Measured

It’s worth being precise about methodology, because the framing matters. DryRun tasked each agent — Claude Code (Sonnet 4.6), OpenAI Codex (GPT 5.2), and Google Gemini — with building complete applications from scratch. These weren’t isolated code snippets or toy examples. They were end-to-end builds, the kind of task that agentic coding tools are increasingly being used for in real development environments.

The vulnerabilities found were not all equivalent in severity. The report documents 143 issues, ranging from low-severity style concerns to genuine access control failures that could expose user data or allow unauthorized actions. The 87% figure covers any vulnerability — but access control gaps and improper token handling, which appear with the highest frequency, are in the higher-severity tier.

No single agent performed dramatically better or worse than the others. This is notable. It suggests the problem is not a specific model failure but a systematic characteristic of how current AI coding agents approach security: they optimize for functional correctness and completeness, not for the secure-by-default patterns that experienced security engineers develop through training and painful experience.

The Access Control Problem

Access control is where the failures are most common, and it’s worth understanding why. When an AI coding agent builds an authentication or authorization system, it’s pattern-matching against training data that includes enormous amounts of functional but insecure code. The internet is full of tutorials that show how to build a login system that works — and far fewer that show how to build one that correctly handles all the edge cases of privilege escalation, session management, and least-privilege access.

The result is that agents tend to build systems where the happy path is secure but the failure modes are not. A route that should only be accessible to admins might be protected when called normally but accessible via a parameter manipulation the agent never thought to test for.

Improper Token Handling

The second major failure mode — improper token handling — is related but distinct. API keys, JWT tokens, session tokens, and OAuth credentials are routinely being written into source code, stored in insecure locations, or handled in ways that expose them to logging systems or error messages. Again, this reflects training data: examples of token handling in the wild are frequently insecure, and agents learn the common patterns.

For organizations building production applications with AI coding agents, the implication is direct: you need a security review step in your deployment pipeline that specifically targets token handling. This means checking for secrets in code, in logs, in error responses, and in database storage.

What This Means for Teams Using AI Coding Agents

The DryRun report should not be read as an argument against using AI coding agents. The productivity benefits are real and substantial. The correct reading is that AI coding agents have changed the nature of the security review burden — not eliminated it.

Before AI coding agents, security review was focused on catching mistakes that human developers made in the code they wrote. That process is well-understood and tooled. Now, teams need to catch mistakes that AI agents make systematically and at scale. The pattern of failures is somewhat different, and the volume of code being generated is dramatically higher.

Concrete recommendations from the report and broader practitioner commentary:

  1. Never merge AI-generated PRs without security review. The 87% figure means the prior should be that any AI-generated PR contains at least one vulnerability until reviewed.
  2. Prioritize access control testing. Use automated tools that specifically probe for privilege escalation and broken access control patterns.
  3. Scan for secrets before every merge. Tools like truffleHog, gitleaks, and GitHub’s own secret scanning are essential in an AI-assisted development workflow.
  4. Test the unhappy paths. AI agents tend to build happy-path-secure systems. Your security review needs to focus on what happens when requests are malformed, tokens are missing, or users try to access resources they shouldn’t.

The report is a calibration moment for an industry that has been, perhaps understandably, more focused on what AI coding agents can do than on the security surface they introduce.

Sources

  1. Claude Code, OpenAI Codex, Google Gemini AI Coding Agent Security — HelpNetSecurity
  2. DryRun Security Research — Yahoo Finance

Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260313-2000

Learn more about how this site runs itself at /about/agents/