alicesec
Back to Blog
AI Security

The 5 Most Dangerous Copilot Patterns (And How to Avoid Them)

AliceSec Team
4 min read

TL;DR

GitHub Copilot and other AI coding assistants can generate insecure code patterns. Learn the five most dangerous patterns they commonly produce and how to recognize and fix them before they become vulnerabilities.

GitHub Copilot has revolutionized how we write code. It autocompletes functions, suggests entire implementations, and dramatically speeds up development. But here's the uncomfortable truth: Copilot was trained on billions of lines of code from GitHub—including insecure code, deprecated patterns, and outright vulnerabilities.

Studies have shown that code generated by AI assistants is significantly more likely to contain security vulnerabilities than human-written code. Let's examine the five most dangerous patterns Copilot commonly generates and learn how to catch them before they ship.

Pattern 1: SQL Injection via String Concatenation

This is Copilot's most common security failure. When you start typing a database query, it often suggests string concatenation instead of parameterized queries.

Dangerous Copilot suggestion:

dangerous-sql.js
// VULNERABLE - DO NOT USE
const query = `SELECT * FROM users WHERE username = '${username}'`;

// An attacker can input:
// ' OR '1'='1
// This bypasses authentication entirely!

The safe pattern:

safe-sql.js
// SECURE - Use parameterized queries
const query = 'SELECT * FROM users WHERE username = ?';
db.execute(query, [username]);

Always use parameterized queries or prepared statements. Never concatenate user input into SQL strings. Copilot suggests string concatenation because it appears millions of times in training data—in tutorials, examples, and legacy code.

Pattern 2: Hardcoded Secrets and API Keys

When you're setting up API integrations, Copilot loves to suggest placeholder secrets that look like real credentials—and developers often forget to replace them.

Dangerous Copilot suggestion:

dangerous-secrets.js
// VULNERABLE - Hardcoded API key
const apiKey = 'sk-1234567890abcdef';
const client = new OpenAI({ apiKey });

// Copilot sometimes suggests ACTUAL API keys
// it learned from public repositories!

The safe pattern:

safe-secrets.js
// SECURE - Use environment variables
const apiKey = process.env.OPENAI_API_KEY;

// Validate at startup
if (!apiKey) {
  throw new Error('OPENAI_API_KEY not set');
}

const client = new OpenAI({ apiKey });

Pro tip: Configure git-secrets or similar pre-commit hooks to catch hardcoded credentials before they're committed.

Pattern 3: Disabled Security Controls

When developers encounter SSL/TLS errors or CORS issues during development, Copilot helpfully suggests disabling security entirely.

Dangerous Copilot suggestions:

dangerous-security-disabled.js
// VULNERABLE - Never use these in production!

// Disables SSL certificate verification
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

// Disables SSL in HTTPS requests
const response = await fetch(url, {
  agent: new https.Agent({ rejectUnauthorized: false })
});

// Allows ALL origins (wide open CORS)
app.use(cors({ origin: '*' }));

The safe pattern: Fix the underlying issue instead of disabling security.

safe-cors.js
// SECURE - Configure specific allowed origins
app.use(cors({
  origin: [
    'https://yourdomain.com',
    'https://app.yourdomain.com'
  ]
}));

For SSL issues, install proper certificates. Never ship code with security controls disabled.

Pattern 4: Insecure Random Number Generation

When generating tokens, session IDs, or anything security-sensitive, Copilot often suggests Math.random()—which is not cryptographically secure.

Dangerous Copilot suggestion:

dangerous-random.js
// VULNERABLE - Math.random() is predictable!
const token = Math.random().toString(36).substring(2);

// An attacker who knows when your server started
// can potentially predict future "random" values

The safe pattern:

safe-random.js
// SECURE - Use cryptographic randomness

// Node.js
const crypto = require('crypto');
const token = crypto.randomBytes(32).toString('hex');

// Browser
const array = new Uint8Array(32);
crypto.getRandomValues(array);
const token = Array.from(array, b => b.toString(16).padStart(2, '0')).join('');

Rule of thumb: If it's used for security (tokens, passwords, keys), it needs cryptographic randomness. Math.random() is only safe for non-security purposes like shuffling UI elements.

Pattern 5: Unsanitized HTML Rendering

When building UIs that display user content, Copilot frequently suggests patterns that enable XSS attacks.

Dangerous Copilot suggestions:

dangerous-xss.js
// VULNERABLE - All of these enable XSS attacks!

// React
<div dangerouslySetInnerHTML={{ __html: userContent }} />

// Vanilla JS
element.innerHTML = userInput;

// Vue
<div v-html="userContent"></div>

The safe pattern: Render user content as text, not HTML. If you must render HTML, sanitize it first:

safe-html.js
// SECURE - Sanitize HTML before rendering
import DOMPurify from 'dompurify';

// React with sanitization
<div dangerouslySetInnerHTML={{ 
  __html: DOMPurify.sanitize(userContent) 
}} />

// Better: Use textContent instead of innerHTML
element.textContent = userInput;  // Safe - escapes HTML

Better yet, use Markdown with a safe parser that escapes HTML.

Why Copilot Generates Insecure Code

Understanding why these patterns emerge helps you anticipate them. Copilot is trained on public GitHub repositories, which include: tutorial code optimized for simplicity, not security; legacy code from before secure patterns were standard; intentionally vulnerable code from security training platforms; code that was 'good enough' for prototypes but never meant for production.

Copilot doesn't understand security context. It can't distinguish between 'I need this for a quick prototype' and 'this will handle production traffic.' It suggests what's statistically likely based on your prompt, not what's secure.

How to Use Copilot Safely

Review every suggestion critically, especially around security-sensitive operations: database queries, authentication, cryptography, user input handling, and network requests. Ask yourself: 'What could an attacker do if they controlled the input to this function?'

Use security linters alongside Copilot. Tools like ESLint with security plugins, Semgrep, or CodeQL can catch many insecure patterns automatically. Configure them to run on save or pre-commit.

Prompt with security context. Instead of 'write a function to query users', try 'write a secure function to query users using parameterized queries'. Copilot's suggestions improve with security-focused prompts.

Conclusion

Copilot is an incredible productivity tool, but it's not a security expert. It reflects the code it was trained on—warts and all. By knowing these dangerous patterns, you can catch them before they become vulnerabilities.

The key is treating AI suggestions as a starting point, not a final answer. Review, understand, and verify every piece of generated code. Your security knowledge is the last line of defense between Copilot's suggestions and your production environment.

References

• Stanford Study - 'Do Users Write More Insecure Code with AI Assistants?'

• GitHub Security Lab - AI-Assisted Security

• OWASP - Secure Coding Practices

Get the weekly vulnerability breakdown

New challenges, exploit techniques, and security tips. No spam.

Unsubscribe anytime. No spam, ever.