Introducing VirtueGuard-Code, the next-generation security framework that provides comprehensive guardrails of AI generated code; significantly outperforms the industrial leading product: LlamaFirewall
CodeGen AI and security risks
Together with the remarkable coding capabilities of generative AI models and agents come the concerns on their security risks related to code generation. As shown in our recent posts [How Safe is Your AI Coding Assistant? A Virtue AI Security Audit], leading commercial and open source models as well as coding agents can generate vulnerable code that can lead to serious security concerns. For example, AI code assistants such as Cursor may generate vulnerable code belonging to CWE-95 (unsafe use of the eval() function in python), which will lead to arbitrary code execution. It can also generate vulnerabilities of CWE-200 that will lead to sensitive information leakage.
Our recent research works [RedCode] also shows that LLMs can be jailbroken to generate malware and cyber attacks following malicious queries. This is a serious concern, as attackers can leverage generative AI to automate their attacks and launch attacks at a scale. For example, in CVE-2024-23751, attackers leverage LLM to generate malicious payload for SQL injection attacks.
VirtueGuard-Code – Technique at a glance
To promote safe and secure usage of generative AI in coding tasks, at Virtue AI we develop VirtueGuard-Code, a real-time guardrail for Gen AI-based coding models and agents.
VirtueGuard-code equips with our customized VirtueGuard-code models for various code generation risks. Our models are compact yet effective autoregressive models, capable of identifying malicious user queries and detecting severe vulnerabilities in AI generated code. An overview of our VirtueGuard-Code design is shown in Figure 1. We also provide an agentic guardrail solution VirtueGuard-Code Agent- building on our guardrail models. It can autonomously invoke other available tools as needed and thus effectively retrieve necessary code context when conducting vulnerability detections. This will significantly reduce the false positives when detecting the vulnerabilities in AI generated code, especially when it involves multiple functions/classes and even files.
Overview of VirtueGuard-Code, which provides guardrail solution for both input and output on malicious requests and generated code levels.
VirtueGuard-Code – Comprehensive risk coverage
VirtueGuard-code protects GenAI models or agents from being weaponized for generating malware or cyber attacks. It also detects severe vulnerabilities in AI generated code. Figure.2 illustrates the risk categories we covered.
Security risks covered by VirtueGuard-Code.
Below is the summary of the key features.
Vulnerability detection:
- Cover three widely used programming languages: Python, C/C++, Java
- Detect 50+ severe CWEs and OWASP TOP 10
- Adaptive to regulations and policies such as EU AI Act policies, OWAPS top 10, and company customized policies
Preventing weaponization:
- Comprehensive risk coverage, including malware, cyberattacks, and agent attacks
- Lightweight
- Support standard policies (e.g., EU AI Act) and company customized policies
VirtueGuard-Code – Industrial leading effectiveness and efficiency
VirtueGuard-Code is the First guardrail model for code risks, outperforming SOTA LLMs and static analysis tools in both Accuracy and Latency.
VirtueGuard-Code – Now is integrated into VS-code plungin
VirtueGuard-Code is now integrated as a VS-Code plugin that is easy to use. It can be freely downloaded from the marketplace and used through a simple configuration.
Demonstration of VirtueGuard-Code in VS-code marketplace.
VirtueGuard-Code supports automatic scanning of the current file setting:
vulscan.autoAnalyzeOnSave=trueIt also supports analyzing specific code sections. As shown below, VirtueGuard-Code can scan the selected function and flag potential vulnerabilities in the selected code, together with suggestions for improving the code.
VirtueGuard-Code can analyze the selected function, pinpoint potential vulnerabilities, and provide mitigation suggestions.
Ready to secure your coding agents? Contact our team today to learn more about Virtue AI’s comprehensive security platform and schedule a demonstration tailored to your specific use cases.
About Virtue AI: We are a leading provider of security solutions for AI agent systems, committed to enabling the safe and secure deployment of autonomous AI in enterprise environments. Our team of AI and cybersecurity experts is dedicated to staying ahead of emerging threats and protecting organizations as they adopt agentic AI technologies.