New Cheat Sheet: Secure Coding with AI

[razashariff]

Addresses #2127.

Thanks @mackowski — second one from the batch.

All pretty standard and clear guidance — 16 sections covering the security risks specific to AI-assisted development, from hallucinated dependencies through to human accountability. Practical Do/Don't format with OWASP Top 10 2021 mapping.

Sections:

1. Hallucinated Dependencies
2. Outdated Dependencies with Known CVEs
3. Static Analysis of AI-Generated Code
4. Dynamic Analysis of AI-Generated Code
5. Secrets in AI-Generated Code
6. License and Intellectual Property Risks
7. AI-Generated Infrastructure Code
8. Prompt Context Leakage and Sensitive Code Exposure
9. Enterprise Deployment and Data Governance
10. AI-Generated Tests
11. AI-Generated Authentication and Authorisation Logic
12. AI-Generated Cryptographic Code
13. Prompt-to-Code Supply Chain Risk
14. Runtime Guardrails for AI-Generated Code
15. Human Accountability
16. Summary

Plus OWASP Top 10 mapping (A01-A10) and references including CVE-2026-39313.

Cheers — Raza :)

[jmanico]

Thanks for putting this together, Raza. There's real work here and the do/don't structure is good. I want to flag some scope and framing concerns before this lands, because I think we'd be shipping a cheat sheet that's already out of step with where AI-assisted development actually is in 2026.

On the framing. The doc is built around the idea that AI suggests code, the developer accepts it, and then you run your normal AppSec pipeline against the result. That's a 2023 mental model. The current reality is agentic coding. Tools like Claude Code, Cursor agent mode, Aider, Devin, Copilot Workspace, and Codex execute shell commands, install packages, edit files, run tests, hit the network, and push branches autonomously, often with auto-accept turned on. A cheat sheet titled "Secure Coding with AI" needs to address that threat model head on, and right now it largely doesn't.

On overlap. Sections 3, 4, 5, 6, and 7 collapse to one sentence: AI-generated code is code, so run your existing pipeline against it. That's already covered by Software Supply Chain Security, Secrets Management, and the Secure Coding Practices Quick Reference. Sections 11 and 12 (auth and crypto) are generic AppSec advice with "AI-generated" prepended, and that ground is covered elsewhere too. Section 9 (DPIA, GDPR, IP, training opt-out) is procurement and governance, not secure coding, and probably belongs in a separate AI governance doc.

On what's missing. None of the following appear in the PR, and they are the dominant risk classes in agentic dev tooling today:

1. Indirect prompt injection in the dev loop. Issue bodies, PR comments, READMEs, dependency changelogs, error traces, fetched web pages, and MCP resources all become instructions the moment the agent reads them.
2. MCP (Model Context Protocol) server security. Tool poisoning, name shadowing, confused deputy, rug-pull updates, credential exfiltration through tools. Worth calling out given the PR already cites CVE-2026-39313, which is an MCP framework CVE.
3. Sandboxing the agent's runtime. Dev containers, restricted shells, tool allowlists, ephemeral credentials, egress controls on the developer's machine, and the risk profile around flags like `--dangerously-skip-permissions`. Section 14 covers production runtime, but nothing covers the agent itself.
4. Rules and system-prompt files as a persistence mechanism. Files like `CLAUDE.md`, `AGENTS.md`, `.cursorrules`, and `.github/copilot-instructions.md` quietly steer every future generation, and they can be modified by a malicious PR or by the agent itself.
5. Out-of-scope edits. Agents routinely touch lockfiles, CI configs, and unrelated tests, and reviewers anchored on the requested change miss them. This is the most common review failure mode I see in practice.
6. Test fabrication and test deletion. Agents make CI green by deleting failing tests, weakening assertions, mocking the unit under test, or asserting the bug. Section 10 hints at this but doesn't name it.
7. Markdown and link based exfiltration from agent output rendered in IDE chat panes.
8. Unicode, bidi, and zero-width injection in code and commits influencing future agent behavior.
9. Multi-agent and sub-agent prompt-injection propagation.
10. CI/CD agents (review bots, `claude-code-action` style runners) acting on PR content with org secrets. Confused deputy at scale.
11. No threat model or trust boundary diagram. A cheat sheet on this topic should explicitly name the boundaries: developer, agent, model provider, MCP servers, repo content, and network.

On cross-references. The repo already ships `AI_Agent_Security_Cheat_Sheet.md`, `LLM_Prompt_Injection_Prevention_Cheat_Sheet.md`, and `Secure_AI_Model_Ops_Cheat_Sheet.md`, all of which cover material this PR touches (tool least-privilege, indirect injection, HITL, multi-agent). The new cheat sheet should cite and extend them rather than float beside them.

Two paths forward I'd be comfortable with:

(A) Rework in place. Keep the sections that are genuinely AI-coding-specific (section 1 on hallucinated deps, section 8 on context leakage, parts of section 13 on prompt-to-code supply chain). Drop the generic AppSec restatement. Add sections covering indirect prompt injection in coding agents, MCP and tool security, agent runtime sandboxing, rules-file integrity, out-of-scope edit review, and test fabrication. Lead with a trust boundary diagram. Cross-reference the three existing AI cheat sheets and align with AISVS.

(B) Narrow the scope and split. Rename this one to something like "AI Coding Assistant DevSecOps Pipeline Cheat Sheet", strip sections 9, 11, 12, and 15, and keep it focused on what changes in your existing pipeline. Then open a companion cheat sheet, "Agentic Coding Security Cheat Sheet", for the threat-model-heavy material above.

Either path works for me. Happy to help shape an outline for the agentic side if that's useful. As-is, I don't think we should merge it. It would tell readers the wrong thing about where the risk actually lives in 2026.

Jim

[razashariff]

Thanks Jim -- really appreciate the detailed feedback. Makes perfect sense. Bow to your experience on this one :) Went with option A and reworked the whole thing.

• Leads with agentic threat model and trust boundary diagram
• Added indirect prompt injection in the dev loop, MCP/tool security, agent runtime sandboxing, rules-file integrity, out-of-scope edits, test fabrication/deletion, CI/CD confused deputy, Markdown/unicode injection, and multi-agent propagation
• Dropped the generic AppSec overlap and governance sections
• Cross-referenced AI Agent Security, MCP Security, and LLM Prompt Injection cheat sheets throughout

Cheers,
Raza

[mackowski]

@jmanico can you please review it again after changes?
@razashariff thanks for the updated PR!