Back to Blog
AI Security

AI Coding Agents Are Boosting Commit Velocity — And Security Debt With It

A viral GitHub commit-frequency chart shows how much modern coding agents accelerate output. Independent testing suggests the code behind that velocity still fails basic security checks at a striking rate.

PyramidLedger Research4 min read
Share

Key Takeaways

  • A commit-frequency chart from Simon Willison's Datasette project shows a sharp spike in code output that he attributes to recent coding-agent-class models.
  • Veracode's 2026 research across 150+ LLMs found only 55% of AI-generated code passes basic security tests, with cross-site scripting (15%) and log injection (13%) among the weakest categories.
  • Security debt is rising alongside AI-assisted output: 82% of organizations now carry security debt, up from 74% a year earlier, per Veracode's 2026 State of Software Security data.
  • The practical takeaway for engineering teams: review and secure-SDLC capacity needs to scale with agent-driven commit velocity, not lag behind it.

A chart that captures a real shift

Simon Willison, maintainer of the open-source Datasette project, recently shared a GitHub code-frequency chart spanning the project's history back to 2018. He was looking for a concrete illustration of how coding agents and "Opus 4.5-class" models had changed his own output — and found it in a sharp spike in the frequency of code changes toward the end of the chart, which he attributes to recent releases including Opus 4.8, GPT-5.5, Fable 5 and GPT-5.6 Sol.

It's a small, personal data point — one maintainer, one repository. But it captures something practitioners are seeing more broadly: agentic coding tools are compressing what used to be weeks of hand-written commits into days. That shift has direct implications for how security teams need to operate, not just for how fast software ships.

The other side of the graph: security debt

Independent testing suggests the code behind velocity spikes like this deserves scrutiny. In its 2026 research across more than 150 large language models, Veracode found that only 55% of AI-generated code passes basic security tests — and the gap is uneven across vulnerability classes. Models handled SQL injection and insecure cryptography relatively well (82% and 86% pass rates), but performed far worse on cross-site scripting (15%) and log injection (13%).

That gap compounds as output volume rises. Veracode's 2026 State of Software Security data, cited in the same report, found 82% of organizations now carry security debt — unresolved, accumulating vulnerabilities — up from 74% the year before, with high-risk vulnerabilities up 36% year-over-year. Security pass rates for AI-generated code have stayed roughly flat since 2023, even as syntax correctness has climbed above 95%.

Why this matters even if you don't publish commit graphs

A rising commit-frequency chart is not, by itself, a security signal — it measures volume, not quality. But read alongside Veracode's numbers, it's a reasonable proxy for review debt: if a maintainer or team is shipping several times more code per week than a year ago, and the underlying models still fail basic checks on categories like XSS and log injection at a high rate, review and testing capacity needs to scale at the same pace — or the debt accumulates quietly until it surfaces as an incident.

  • Gate merges on automated security scanning tuned to the vulnerability classes models handle worst — XSS and log/output handling — not just linting and formatting.
  • Track review throughput (time-to-review, reviewer load) as a first-class engineering metric alongside commit and PR velocity, not an afterthought.
  • Require mandatory human sign-off on agent-authored changes that touch authentication, input handling, or dependency manifests, regardless of how routine the diff looks.

Frequently Asked Questions

Does a rising commit-frequency chart mean the code is less secure?

Not by itself — it only measures volume. But independent testing shows AI-generated code overall still fails basic security checks at a notable rate, particularly for cross-site scripting and log injection, so higher volume without added review capacity does raise risk.

What is "security debt" in this context?

It refers to unresolved vulnerabilities that accumulate faster than teams can remediate them. Veracode's 2026 data shows the share of organizations carrying security debt grew from 74% to 82% year over year, with high-risk vulnerabilities up 36%.

What should engineering teams do as agent-driven commit volume rises?

Match review capacity to velocity: automate detection for the vulnerability classes models handle worst, track review throughput as a real metric, and keep human sign-off mandatory for security-sensitive code paths.

Sources

  1. 1datasette code-frequency chart on GitHubSimon Willison
  2. 2AI Coding Tools Are Creating a Security Gap We Must Close ImmediatelyVeracode
  3. 3datasette code-frequency chart on GitHubSimon Willison
Share

Read next