Inference-Time Safety for Code LLMs via Retrieval-Augmented Revision

Conference: ICLR 2026 arXiv: 2603.01494 Code: None Area: Code Security / Retrieval-Augmented Generation Keywords: code safety, retrieval-augmented generation, inference-time intervention, vulnerability repair, Stack Overflow

TL;DR

This paper proposes SOSecure, a training-free inference-time safety mechanism that retrieves relevant community security warnings from a Stack Overflow knowledge base via BM25, guiding the model to autonomously revise unsafe code during inference. SOSecure achieves up to 96.7% vulnerability fix rate with zero new vulnerability introductions across three real-world datasets.

Background & Motivation

Background: LLM-based code generation tools (e.g., GitHub Copilot, ChatGPT, Cursor) have been widely deployed in real-world development workflows, substantially improving developer productivity. However, these models pose serious trustworthiness concerns in security-sensitive contexts—training data contains numerous outdated or unsafe coding patterns, causing models to repeatedly reproduce known CWE vulnerabilities.

Limitations of Prior Work: The dominant approach to addressing code security is fine-tuning or retraining, which is costly and difficult to update frequently. Programming languages, libraries, and frameworks evolve rapidly (e.g., TensorFlow frequently deprecates unsafe APIs), and static training snapshots cannot keep pace with evolving security standards. More critically, developers tend to over-trust LLM-generated code, integrating it directly into production systems without adequate security review.

Key Challenge: LLMs possess the ability to generate syntactically correct and functionally complete code, but lack transparent security reasoning capabilities—they cannot explain why a given pattern is unsafe, nor proactively adapt to newly discovered vulnerabilities. A fundamental tension exists between the cost of retraining and the rate at which security knowledge evolves.

Goal: (1) How can code generation safety be improved without retraining the model? (2) How can continuously evolving community security knowledge compensate for the model's static knowledge? (3) How can an interpretable, adaptable inference-time safety intervention mechanism be designed?

Key Insight: The authors observe that the Stack Overflow community has accumulated rich security discussions over more than a decade—developers explain in comments why code is unsafe and suggest safer alternatives. This human-authored, explanatory knowledge represents the "why" layer of security reasoning that is absent from LLM training data.

Core Idea: Use BM25 to retrieve relevant security warnings from a Stack Overflow discussion knowledge base for generated code, and use these as inference-time context to guide the LLM to autonomously revise unsafe code.

Method

Overall Architecture

SOSecure is a model-agnostic inference-time safety layer that requires no model training or fine-tuning. Its pipeline consists of three stages: (1) the LLM generates code normally; (2) SOSecure retrieves relevant security discussions from a pre-built Stack Overflow knowledge base; (3) the retrieved community discussions are incorporated as context into a revision prompt, allowing the LLM to determine whether the code requires modification. The entire process is transparent to the user; retrieved content is not injected directly into the code but serves as "reference guidance" for model reasoning.

Key Designs

1. Security-Oriented Knowledge Base:

   • Function: Construct a Stack Overflow knowledge base focused on security issues, serving as the retrieval source.
   • Mechanism: Security-relevant answers and comment threads are filtered from Stack Overflow using a curated set of security keywords (including known vulnerability references, deprecation warnings, and dangerous usage patterns). As a minimal quality control measure, answers or at least one comment are required to have received at least one community upvote.
   • Design Motivation: The lenient quality filtering strategy (requiring only ≥1 vote) is intentional—prioritizing recall over precision, since the downstream LLM is better equipped than static filters to judge the relevance and validity of retrieved content.

2. Community Discussion Retrieval via BM25:

   • Function: Given an LLM-generated code snippet, retrieve the most relevant security discussions from the knowledge base.
   • Mechanism: A BM25 lexical matching retrieval model is used to retrieve the top-\(k\) (default \(k=5\)) most similar Stack Overflow answers and their comment threads based on lexical similarity between the generated code and knowledge base snippets. BM25 is chosen over dense vector retrieval because security vulnerabilities often depend on specific API calls, configuration parameters, or error messages (e.g., shell=True, pickle.loads, debug=True)—critical identifiers that tend to be diluted in dense embeddings.
   • Design Motivation: Preliminary experiments comparing dense embedding retrieval and sparse lexical retrieval showed that BM25 is more reliable for retrieving security-relevant discussions. Dense methods frequently failed when vulnerabilities depended on specific API calls, while BM25 more consistently matched discussions referencing the same functions and parameters.

3. Inference-Time Revision Prompt Construction:

   • Function: Integrate retrieved community discussions into a structured revision prompt that guides the LLM to review and potentially modify its generated code.
   • Mechanism: A conservative prompt is constructed that explicitly instructs the LLM to review the security of generated code guided by community feedback, and to decide whether modifications are needed. Crucially, the model is explicitly permitted to leave the code unchanged—when it judges that the original implementation already follows secure practices, no modification is required. Retrieved content is positioned as "contextual guidance" rather than "mandatory instructions."
   • Design Motivation: The conservative prompt strategy mitigates the risk of overcorrection—it avoids imposing potentially outdated or incomplete suggestions on the code, instead leveraging the model's own reasoning capabilities to weigh community advice against the applicability of the current code.

Loss & Training

SOSecure is a purely inference-time method with no training or fine-tuning involved. Its core design philosophy is to serve as a complementary safety layer to existing training-time methods and static analysis tools.

Key Experimental Results

Main Results

Dataset	Method	Fix Rate	Introduction Rate	Gain over Prompt-only
SALLM	Prompt-only	49.1%	-	-
SALLM	GPT-4+CWE	58.5%	-	+9.4%
SALLM	SOSecure	71.7%	0.0%	+22.6%
LLMSecEval	Prompt-only	56.5%	-	-
LLMSecEval	GPT-4+CWE	69.6%	-	+13.1%
LLMSecEval	SOSecure	91.3%	0.0%	+34.8%
LMSys	Prompt-only	37.5%	-	-
LMSys	GPT-4+CWE	45.8%	-	+8.3%
LMSys	SOSecure	96.7%	0.0%	+59.2%

Ablation Study

Configuration	Fix Rate	Introduction Rate	Notes
Prompt-only baseline	37.5%	0.0%	No safety intervention
GPT-4+CWE (label only)	45.8%	0.0%	CWE identifier provided, no community explanation
Revision-only (no retrieval)	41.2%	0.0%	Self-review without external context
SOSecure (\(k=5\))	96.7%	0.0%	Full method with community discussion retrieval

C Language Code Evaluation

Method	Fix Rate	Introduction Rate	No Change Rate
Prompt-only	53.3%	0.0%	80.0%
GPT-4+CWE	60.0%	0.0%	77.5%
SOSecure	73.3%	0.0%	72.5%

Key Findings

• Community discussions are critical: Ablation results show that self-revision alone (Revision-only) yields only marginal improvement (37.5%→41.2%), whereas incorporating retrieved community discussions boosts the Fix Rate to 96.7%, demonstrating that SOSecure's gains stem from community-authored security explanations rather than simple self-reflection.
• Vulnerability labels are insufficient: Even with explicit CWE labels provided (GPT-4+CWE), fix rates remain far below SOSecure, revealing a substantial gap between "knowing a vulnerability exists" and "understanding why it is unsafe and how to fix it."
• Zero new vulnerability introductions: Across all datasets and configurations, SOSecure never introduced new security vulnerabilities, validating the effectiveness of the conservative revision strategy.
• Cross-language generalization: SOSecure is effective on C code as well (Fix Rate improved from 53.3% to 73.3%) without any language-specific tuning.

Highlights & Insights

• Inference-time intervention outperforms training-time repair: This design paradigm—intervening in security repair after code generation rather than at training time—enables the system to adapt to newly discovered vulnerabilities at any time without retraining. This approach is transferable to any code generation scenario requiring continuously updated knowledge.
• Unique value of community knowledge: Stack Overflow discussions provide not only "what is safe" but, more importantly, "why something is unsafe." This causal, explanatory knowledge is scarce in LLM training data and is the key to eliciting deeper security reasoning from the model.
• Counter-intuitive finding: BM25 outperforms dense retrieval: In the security domain, specific API names and configuration parameters are critical signals; dense embeddings tend to dilute these key identifiers. This finding generalizes to other retrieval tasks that rely on precise identifier matching.

Limitations & Future Work

• Reliance on static analysis tools for evaluation: CodeQL and Bandit are known to have false positives and false negatives; evaluation results should be interpreted with caution.
• Limited knowledge base coverage: Stack Overflow security discussions may not cover all vulnerability types, especially emerging or rare security issues.
• Only GPT-4 evaluated: Generalizability to other LLMs (e.g., open-source models) has not been validated.
• Upper bound on retrieval quality: BM25 depends on lexical overlap and may miss security patterns that are semantically equivalent but lexically distinct.
• Future work could explore hybrid strategies combining dense and sparse retrieval, or incorporate CWE knowledge graphs to enhance retrieval coverage.

Related Work & Insights

• vs. Fine-tuning/Retraining methods: These approaches require large amounts of security-annotated data and cannot adapt to new vulnerabilities; SOSecure dynamically updates knowledge without training.
• vs. Prompt engineering alone: Simply prompting models to attend to security yields very limited improvement (Fix Rate only 37.5%), indicating that models require external knowledge to supplement security reasoning.
• vs. RAG for CVE: Prior work uses CVE databases for retrieval augmentation, but Stack Overflow provides richer causal explanations and repair suggestions rather than mere vulnerability descriptions.

Rating

• Novelty: ⭐⭐⭐⭐ The combination of inference-time safety intervention and community knowledge retrieval is novel, though individual components are relatively simple.
• Experimental Thoroughness: ⭐⭐⭐⭐ Three datasets cover diverse scenarios with comprehensive ablation, but multi-model comparisons are absent.
• Writing Quality: ⭐⭐⭐⭐⭐ The paper is clearly structured, motivations are well-articulated, and discussions are thorough.
• Value: ⭐⭐⭐⭐ The concept of a practical inference-time safety layer has clear engineering deployment value.

Related Papers

• [ACL 2026] Across Programming Language Silos: A Study on Cross-Lingual Retrieval-Augmented Code Generation
• [ICLR 2026] KV Cache Transform Coding for Compact Storage in LLM Inference
• [ICLR 2026] IMSE: Intrinsic Mixture of Spectral Experts Fine-tuning for Test-Time Adaptation
• [ICLR 2026] Improving Code Localization with Repository Memory
• [NeurIPS 2025] Program Synthesis via Test-Time Transduction