SecPI: Secure Code Generation with Reasoning Models via Security Reasoning Internalization

Researchers have developed SecPI, a new fine-tuning pipeline that teaches reasoning language models to automatically generate secure code without requiring explicit security instructions. The approach improves secure code generation by 14 percentage points on security benchmarks while maintaining functional correctness.

• →SecPI addresses critical security vulnerabilities in AI-generated code by teaching models to internalize security reasoning during training rather than relying on inference-time prompts.
• →The approach improved QwQ 32B's secure code generation from 48.2% to 62.2% on CWEval benchmark without degrading functional correctness.
• →SecPI demonstrates strong cross-language and cross-vulnerability generalization, working on security issues beyond those seen during training.
• →The method eliminates the need for costly manually curated security datasets by using LLM-based filtering of existing coding datasets.
• →Models trained with SecPI can reason about security autonomously without explicit security instructions at inference time.