A Framework and Checklist for Secure and Reflective Review of AI-Generated Code
摘要
Generative artificial intelligence tools such as ChatGPT and GitHub Copilot are increasingly used in software development to generate code from natural language prompts. While these tools offer productivity and accessibility benefits, they also introduce security risks and raise educational concerns related to how developers learn, retain, and apply secure coding practices. AI-generated code may contain vulnerabilities, unintended logic, or insecure defaults, and uncritical reliance on such outputs can reduce opportunities for reflective learning and skill development, particularly among novice and early-career programmers. This paper presents a structured framework for the secure review of AI-generated code that explicitly supports both security assurance and developer education. The framework is derived from an extensive literature review on AI-generated code security risks and established secure software development standards, notably the OWASP Top 10 and the Common Weakness Enumeration (CWE). It consists of a six-phase review process supported by a practical checklist designed to guide systematic evaluation, encourage reflection on intent and implementation, and externalize expert security knowledge in a form suitable for repeated learning. The framework and checklist were evaluated using scenario-based testing of AI-generated code and validated through an AI-persona-based review representing different development and security perspectives. This validation informed iterative refinement of the artefact and demonstrated its applicability as a structured review and learning instrument. The proposed approach positions secure code review as a reflective and educational activity, contributing to software security education and continuous professional development in AI-assisted programming contexts.