SecPI: Secure Code Generation with Reasoning Models via Security Reasoning Internalization
Summary: arXiv:2604.03587v1 Announce Type: cross
Abstract
Reasoning language models (RLMs) are increasingly being utilized in programming tasks. Despite their advancements, even cutting-edge RLMs often introduce significant security vulnerabilities in the generated code. Traditional training-based methods aimed at secure code generation encounter a major limitation: they depend on expensive, manually curated security datasets that cover only a limited range of vulnerabilities. At the inference stage, generic security reminders tend to compromise functional correctness while engaging in superficial, ad-hoc vulnerability analysis.
Introduction to SecPI
To tackle these challenges, we introduce SecPI, a fine-tuning pipeline designed to enable RLMs to internalize structured security reasoning. This innovative approach allows for the generation of secure code by default, eliminating the need for explicit security instructions during inference. SecPI employs a multi-faceted strategy that includes the following key components:
- Filtering of Datasets: SecPI filters existing general-purpose coding datasets for security-relevant tasks utilizing an LLM-based classifier.
- High-Quality Security Reasoning Traces: It generates comprehensive security reasoning traces through a teacher model that is guided by a structured prompt, systematically listing relevant Common Weakness Enumerations (CWEs) and corresponding mitigations.
- Fine-Tuning on Input Pairs: The target model is fine-tuned on pairs of inputs that do not include security prompts, along with the teacher’s reasoning traces. This method teaches the model to autonomously reason about security, rather than responding to explicit instructions.
Evaluation and Results
We conducted extensive evaluations using security benchmarks with state-of-the-art open-weight reasoning models to assess the effectiveness of SecPI. Notable findings from the evaluation include:
- SecPI significantly enhances the percentage of functionally correct and secure code generations for the QwQ 32B model, increasing rates from 48.2% to 62.2% (+14.0 points) on CWEval.
- On BaxBench, the improvements are evident, with secure code generations rising from 18.2% to 22.0%.
- We also observed robust cross-CWE and cross-language generalization, extending beyond the training vulnerabilities.
- For instance, even when trained solely on injection-related CWEs, QwQ 32B demonstrated a 9.9% increase in generating correct and secure code when evaluated against held-out memory-safety CWEs.
Conclusion
SecPI presents a significant advancement in the realm of secure code generation using reasoning models. By internalizing security reasoning, RLMs can autonomously produce secure code without the reliance on explicit security prompts. This breakthrough not only enhances the functional correctness of generated code but also substantially reduces the risks associated with security vulnerabilities in software development. The promising results from our extensive evaluations underscore the potential of SecPI to revolutionize secure coding practices in the industry.