Skip to main content

Pro audit program · v1.0

AI Coding Assistant Security

Copilot / Cursor / Claude Code / Codeium / equivalent — quick audit of how AI code assistants are deployed in your engineering org.

  • General target area
  • NIST AI RMF framework
  • 8 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Copilot / Cursor / Claude Code / Codeium / equivalent — quick audit of how AI code assistants are deployed in your engineering org.

Risks addressed

  • Critical Source code or IP sent to a free-tier assistant for training
  • High Vulnerable AI-generated code shipped without review
  • High Secrets in suggestions leak into commits
  • Medium Licence-incompatible code generated and not flagged

Controls (8)

  1. Approved AI coding assistants list

    High

    Approved AI coding assistants list

    How to test + evidence

    Testing procedure: Single approved tool (or short list) with enterprise plan + DPA.

    Evidence to collect: Approved tool register.

  2. Enterprise tier — no training on customer code

    Critical

    Enterprise tier — no training on customer code

    How to test + evidence

    Testing procedure: Contract clause: code submitted is not used to train the providers shared models.

    Evidence to collect: Signed DPA / contract clause.

  3. Repo-level scope + opt-out for sensitive code

    High

    Repo-level scope + opt-out for sensitive code

    How to test + evidence

    Testing procedure: Sensitive repos / paths excluded from assistant context.

    Evidence to collect: Scope config screenshot.

  4. Secret scanning on every commit (incl. AI-generated)

    Critical

    Secret scanning on every commit (incl. AI-generated)

    How to test + evidence

    Testing procedure: Pre-commit + push protection catches secrets the assistant suggested.

    Evidence to collect: Scanner config + last blocks.

  5. AI-generated code subject to normal PR review

    High

    AI-generated code subject to normal PR review

    How to test + evidence

    Testing procedure: Policy: AI output is treated as untrusted input; reviewer attests.

    Evidence to collect: Policy + PR template.

  6. SAST / SCA in CI catches insecure AI suggestions

    High

    SAST / SCA in CI catches insecure AI suggestions

    How to test + evidence

    Testing procedure: Same security gates as any other code change.

    Evidence to collect: CI workflow.

  7. Licence / IP scanning on AI output

    Medium

    Licence / IP scanning on AI output

    How to test + evidence

    Testing procedure: Tool flags suspiciously-similar code blocks; legal review for ambiguous cases.

    Evidence to collect: Scanner config + last flags.

  8. Telemetry + audit: who used what, when

    Medium

    Telemetry + audit: who used what, when

    How to test + evidence

    Testing procedure: Tenant admin logs available; reviewed monthly.

    Evidence to collect: Audit log sample.