SecureCodeRL: Security-Aware Reinforcement Learning for Code Generation with Partial-Credit Rewards
Suryansh Singh Sijwali, Suman Saha
TL;DR
The paper addresses the challenge of generating correct code with large language models under strict stdin/stdout judging while also considering security. It introduces SecureCodeRL, a reinforcement learning pipeline that optimizes a combined reward $R = \alpha R_{\text{func}} + \beta R_{\text{sec}}$, where a partial-credit functional reward mitigates reward sparsity and a Bandit-based security penalty discourages insecure patterns. Through benchmarking on APPS+ and a pilot RL study, the approach demonstrates improved syntax validity and a non-zero test-signal (albeit small) while maintaining Bandit-clean results, suggesting reward shaping can enable learning where binary signals fail. The work provides a practical path toward more reliable and secure code generation, while acknowledging the need for larger-scale evaluation, uncertainty quantification, and broader security analysis to validate and extend these findings.
Abstract
Large Language Models (LLMs) can generate plausible code, but in settings that require exact stdin/stdout behavior they frequently produce programs that compile yet fail tests, and in some cases they introduce security-sensitive patterns. This paper presents SecureCodeRL, a reinforcement learning (RL) pipeline for security-aware code generation that optimizes a combined reward R = αRfunc + \b{eta}Rsec. The key idea is a partial-credit functional reward that assigns intermediate scores for syntactic validity, successful execution, and producing output, reducing reward sparsity that otherwise stalls learning on competitive programming style tasks. I evaluate supervised fine-tuning (SFT) and PPO variants on a small held-out prompt set from APPS+ and observe that PPO with partial credit (using a continued-training variant) improves syntax validity from 45% (SFT) to 60% and achieves the only non-zero test success signal in this pilot evaluation (5% at-least-one-test-pass), while remaining 100% clean under Bandit static analysis. Although Bandit findings were absent in this small evaluation, the security term is integrated into training to discourage insecure shortcuts when they appear.
