Fortifying LLM-Based Code Generation with Graph-Based Reasoning on Secure Coding Practices
Rupam Patir, Keyan Guo, Haipeng Cai, Hongxin Hu
TL;DR
This work tackles the security gaps in LLM-generated code by introducing GRASP, a graph-guided fortification framework that leverages a Directed Acyclic Graph of Secure Coding Practices ($G_{SCP}$) and a graph-based reasoning process to iteratively refine an initial seed solution ($c_0$) into secure code ($c_i$) while preserving functional correctness. By deriving 28 code-level SCPs from the OWASP checklist and dynamically traversing the SCP graph with a relevance threshold ($ au$), GRASP achieves interpretable, model-agnostic protections without retraining or external analyzers. A dedicated benchmark of 54 natural-language prompts spanning 17 CWEs and unit tests enables joint evaluation of security and functionality, demonstrating $SR > 0.8$ across multiple LLMs and up to an $88\%$ improvement on unseen CVEs. The approach emphasizes generalization to zero-day vulnerabilities, scalability, and efficiency, showing that structured reasoning over SCPs can robustly fortify code generation in real-world settings while reducing reliance on vulnerability-specific datasets and tooling.
Abstract
The code generation capabilities of Large Language Models (LLMs) have transformed the field of software development. However, this advancement also presents significant security challenges, as LLM-generated code often contains vulnerabilities. One direction of research strengthens LLMs by injecting or refining security knowledge through curated datasets, model tuning, or static analyzers. While effective in certain settings, these methods can be resource-intensive, less adaptable to zero-day vulnerabilities, and often inapplicable to proprietary models. To address these challenges, we introduce GRASP, which explores a new direction that focuses on structured reasoning over Secure Coding Practices(SCPs) rather than additional training or external feedback. GRASP comprises two key ideas: (1) an SCP graph that organizes SCPs into a Directed Acyclic Graph (DAG) capturing dependencies and relationships, and (2) a graph-based reasoning process that systematically guides LLMs through relevant SCPs for code generation. This design enables interpretable, model-agnostic, and scalable security improvements, particularly for previously unseen vulnerabilities. Our evaluation shows that GRASP consistently achieves Security Rates (SR) exceeding 80% across multiple LLMs, and delivers up to 88% improvements over baselines on zero-day vulnerabilities.