GoodVibe: Security-by-Vibe for LLM-Based Code Generation
Maximilian Thang, Lichao Wu, Sasha Behrouzi, Mohamadreza Rostami, Jona te Lintelo, Stjepan Picek, Ahmad-Reza Sadeghi
TL;DR
GoodVibe tackles insecure default code generation in vibe coding by enforcing security awareness directly inside LLMs. It identifies security-relevant neurons through gradient-based attribution and performs neuron-selective fine-tuning restricted to a small security subspace, with activation-driven clustering to share updates and reduce parameters. Across six open-source LLMs and multiple programming languages, GoodVibe delivers substantial security gains (up to 2.5x improvements) while using orders of magnitude fewer trainable parameters and lower FLOPs than full fine-tuning and LoRA, while preserving utility on reasoning benchmarks. This intrinsic, efficient approach enables secure-by-default code generation suitable for real-world, security-agnostic workflows.
Abstract
Large language models (LLMs) are increasingly used for code generation in fast, informal development workflows, often referred to as vibe coding, where speed and convenience are prioritized, and security requirements are rarely made explicit. In this setting, models frequently produce functionally correct but insecure code, creating a growing security risk. Existing approaches to improving code security rely on full-parameter fine-tuning or parameter-efficient adaptations, which are either costly and prone to catastrophic forgetting or operate at coarse granularity with limited interpretability and control. We present GoodVibe, a neuron-level framework for improving the security of code language models by default. GoodVibe is based on the key insight that security-relevant reasoning is localized to a small subset of neurons. We identify these neurons using gradient-based attribution from a supervised security task and perform neuron-selective fine-tuning that updates only this security-critical subspace. To further reduce training cost, we introduce activation-driven neuron clustering, enabling structured updates with minimal overhead. We evaluate GoodVibe on six LLMs across security-critical programming languages, including C++, Java, Swift, and Go. GoodVibe substantially improves the security of generated code while preserving general model utility, achieving up to a 2.5x improvement over base models, matching or exceeding full fine-tuning with over 4,700x fewer trainable parameters, and reducing training computation by more than 3.6x compared to the parameter-efficient baseline (LoRA). Our results demonstrate that neuron-level optimization offers an effective and scalable approach to securing code generation without sacrificing efficiency or generality.