DryRun Security: AI Coding Agents Introduce Vulnerabilities in 87% of Pull Requests
Help Net Security / DryRun Security·high signal
A DryRun Security study tested Claude Code (Sonnet 4.6), OpenAI Codex (GPT 5.2), and Google Gemini (2.5 Pro) building two applications from scratch. Across 38 scans covering 30 pull requests, the agents produced 143 security issues — 26 of 30 PRs (87%) contained at least one vulnerability. Broken access control was universal across all three agents; Claude introduced a 2FA-disable bypass; Gemini had the most high-severity findings. Codex produced the fewest remaining issues in both apps.