As discussed with @jrrao and @Akilsrin
Problem Description:
Developers using AI coding assistants are producing up to 10x more code per day than before. While existing static analysis and vulnerability scanners (e.g., GitHub Advanced Security, CodeQL, etc.) can still detect insecure code, the volume and velocity of code changes are overwhelming traditional review and triage processes.
Companies need policies about which repositories AI tools can access, which repos they can read and write to. Microsoft's responsible AI documentation provides templates for governing Copilot access. Google's Secure AI Framework includes guidelines for protecting code during AI-assisted development.
This problem is not about detection capability, it’s about managing exposure and scaling security governance for AI-assisted workflows and AI coding agents.
Proposed Work for CoSAI:
CoSAI could create standardized guidance and templates for enterprises adopting AI coding tools, including:
-
Repository Access Policies:
-
Define which repositories AI tools can read/write to, based on code sensitivity levels (e.g., public OSS repos vs. crown-jewel proprietary repos).
-
Provide decision matrices and example policies for governing AI tool permissions.
-
Reference and align with industry frameworks.
-
AI-Driven Review Requirements:
- Recommend moving from traditional “change size” metrics (e.g., lines of code changed) to volume- and frequency-aware review processes.
- Include guidance on code review for security-sensitive code and high-volume AI-generated commits.
-
Integration with Existing Efforts:
-
Build on OpenSSF’s secure development practices, but focus explicitly on enterprise environments where repository access governance is a key control.
-
Provide sample policy templates that organizations can adopt and customize quickly.
Impact:
Standardized repository access policies and scalable review frameworks would help organizations maintain strong security posture as AI-assisted development dramatically increases code production.
Potential New Workstream
This could be a potential new workstream.
As discussed with @jrrao and @Akilsrin
Problem Description:
Developers using AI coding assistants are producing up to 10x more code per day than before. While existing static analysis and vulnerability scanners (e.g., GitHub Advanced Security, CodeQL, etc.) can still detect insecure code, the volume and velocity of code changes are overwhelming traditional review and triage processes.
Companies need policies about which repositories AI tools can access, which repos they can read and write to. Microsoft's responsible AI documentation provides templates for governing Copilot access. Google's Secure AI Framework includes guidelines for protecting code during AI-assisted development.
This problem is not about detection capability, it’s about managing exposure and scaling security governance for AI-assisted workflows and AI coding agents.
Proposed Work for CoSAI:
CoSAI could create standardized guidance and templates for enterprises adopting AI coding tools, including:
Repository Access Policies:
Define which repositories AI tools can read/write to, based on code sensitivity levels (e.g., public OSS repos vs. crown-jewel proprietary repos).
Provide decision matrices and example policies for governing AI tool permissions.
Reference and align with industry frameworks.
AI-Driven Review Requirements:
Integration with Existing Efforts:
Build on OpenSSF’s secure development practices, but focus explicitly on enterprise environments where repository access governance is a key control.
Provide sample policy templates that organizations can adopt and customize quickly.
Impact:
Standardized repository access policies and scalable review frameworks would help organizations maintain strong security posture as AI-assisted development dramatically increases code production.
Potential New Workstream
This could be a potential new workstream.