New Security Standard for AI-Generated Go Code - Trivy Walkthrough
152 views
Skip to first unread message
Cheikh Seck
Jun 24, 2026, 4:45:30 AM (yesterday) Jun 24
to golang-nuts
Hi gophers,
I've been thinking about how AI code generation changes our security assumptions.
In 2026, a typical Go service has 60-80% AI-generated code. The dependency tree isn't curated by humans anymore - it's assembled by LLMs pulling from outdated training data.
This means we need new security standards. Manual review isn't enough when you didn't write the imports.
I just published a practical walkthrough showing how to implement one: automated security scanning with Trivy that blocks CVEs on every PR. Takes 5 minutes to set up.
Article: https://medium.com/p/d91605771b04
Would love feedback from the community on:
1. Is this the right approach for AI-era security?
2. What other standards do we need to establish?
Thanks,
Cheikh
I've been thinking about how AI code generation changes our security assumptions.
In 2026, a typical Go service has 60-80% AI-generated code. The dependency tree isn't curated by humans anymore - it's assembled by LLMs pulling from outdated training data.
This means we need new security standards. Manual review isn't enough when you didn't write the imports.
I just published a practical walkthrough showing how to implement one: automated security scanning with Trivy that blocks CVEs on every PR. Takes 5 minutes to set up.
Article: https://medium.com/p/d91605771b04
Would love feedback from the community on:
1. Is this the right approach for AI-era security?
2. What other standards do we need to establish?
Thanks,
Cheikh
Stephen Illingworth
Jun 24, 2026, 4:50:02 AM (yesterday) Jun 24
to golang-nuts
Where does the 60-80% figure come from?
Cheikh Seck
Jun 24, 2026, 4:57:20 AM (yesterday) Jun 24
to golang-nuts
I had Lite Agent (https://liteagent.cloud) compare Github commits before 2024 ( approximate time of pre-agentic AI adoption). The findings were a drastic increase in LoC.
Cheikh Seck
Jun 24, 2026, 5:41:57 AM (yesterday) Jun 24
to golang-nuts
Key take-away from this article is that LLMs don't make the best judgement, but rather the average judgement. We spent months worrying about LLMs training on our code, but it turns out our code was cr*p all along :D
brainman
Jun 24, 2026, 5:33:58 PM (17 hours ago) Jun 24
to golang-nuts
Cheikh,
What problem are you trying to solve?
You can still write your program yourself and not import crappy packages.
Alex
Cheikh Seck
Jun 24, 2026, 8:19:17 PM (14 hours ago) Jun 24
to golang-nuts
When you start a project from an agent (ie: Claude, Codex) it tends to import old packages. I've experienced this while working for a smut website a few months back and most recently with Godex: where Trivy found 15 critical vulnerabilities. The idea I'm trying to convey is that LLMs may suggest packages while ignoring the fact that they may have been compromised since it was trained. Does that make sense?
Message has been deleted
Cheikh Seck
Jun 24, 2026, 9:20:49 PM (13 hours ago) Jun 24
to golang-nuts
Also, an LLM may use an old API for a package and this can fool goimport into using an old, unmaintained version as well.
brainman
2:12 AM (8 hours ago) 2:12 AM
to golang-nuts
Thanks for explaining.
But I do not see any difference between AI and manually written code.
If you OK to take risk, then security does not matter.
If you are not prepared to take risk, then you need to check code you import.
It is always been this way.
Alex
Cheikh Seck
4:55 AM (5 hours ago) 4:55 AM
to golang-nuts
Exactly and my point is, that, Trivy checks the code for you, so you don't have to lol
Reply all
Reply to author
Forward
0 new messages