You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,15 +15,19 @@ Short on time? Here's what really matters:
15
15
***You Are the Pilot – AI is the Co-pilot:** The developer (you) remains in full control of the code. Critically evaluate and edit AI-generated code just as you would code written by a human colleague and never blindly accept suggestions. [[anssibsi2024a]](#anssibsi2024a)
16
16
***Apply Engineering Best Practices Always:** AI-generated code isn't a shortcut around engineering processes such as code reviews, testing, static analysis, documentation, and version control discipline. [[markvero2025a]](#markvero2025a)
17
17
***Be Security-Conscious:** Assume AI-written code can have bugs or vulnerabilities, because it often does. AI coding assistants can introduce security issues like using outdated cryptography or outdated dependencies, ignoring error handling, or leaking secrets. Check for any secrets or sensitive data in the suggested code. Make sure dependency suggestions are safe and not pulling in known vulnerable packages. [[shihchiehdai2025a]](#shihchiehdai2025a), [[anssibsi2024b]](#anssibsi2024b)
18
-
***Guide the AI:** AI is a powerful assistant, but it works best with your guidance. Write clear prompts that specify security requirements. Don't hesitate to modify or reject AI outputs. Direct your AI tool to build its own instructions file based on this guide. [[swaroopdora2025a]](#swaroopdora2025a)[[haoyan2025a]](#haoyan2025a)
18
+
***Guide the AI:** AI is a powerful assistant, but it works best with your guidance. Write clear precise prompts that specify security requirements. Don't hesitate to modify or reject AI outputs. Direct your AI tool to build its own instructions file based on this guide. [[swaroopdora2025a]](#swaroopdora2025a)[[haoyan2025a]](#haoyan2025a)
19
19
***Ask the AI to review and improve its own work**. Once you have some AI-written code, where possible, ask it to review and improve its own work (repeating these steps as necessary). This technique is sometimes called Recursive Criticism and Improvement (RCI) and can be remarkably effective. For instance, "Review your previous answer and find problems with your answer" followed by "Based on the problems you found, improve your answer" for one or more iterations. Encourage the use of tools such as linters, SAST, dependency checkers, etc. through the improvement cycles. [[catherinetony2024a]](#catherinetony2024a)
20
+
***Express your concerns to the AI**. If you have concerns about something AI has generated, express your concerns in detail, and ask it to analyze that code to determine whether or not it's okay. Review that answer.
20
21
21
22
By keeping these points in mind, you can harness AI code assistants effectively without sacrificing quality or security.
22
23
23
24
### TL;DR Sample Instructions
24
25
25
-
Here are sample instructions that you can copy and paste
26
-
(details are below):
26
+
Here are sample instructions that you can copy and paste.
27
+
In most cases you should extract *from* this sample (for details see below):
28
+
If you copy and paste irrelevant parts, the AI is more likely to generate
29
+
extraneous or even incorrect code as it attempts to compensate for
30
+
attacks that can't happen:
27
31
28
32
> Provide secure code.
29
33
User inputs should be checked for expected format and length.
0 commit comments