{"slug": "one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned", "title": "One issue every 62 lines: 21.6M lines of AI-generated code, scanned", "summary": "A scan of 21.6 million lines of AI-generated code from 424 projects found one issue every 62 lines, with 87% of projects having at least one security finding. Lovable and v0 projects had roughly double the issue density of Bolt and Copilot-assisted repos, and 14% of all projects shipped leaked secrets or hardcoded credentials.", "body_md": "Published July 2026 by [Quality Clouds Hub](https://qualityclouds.ai) · Data available under CC-BY-4.0\n\n14% of AI-generated projects ship with a leaked secret or hardcoded credential. 98% of Supabase-backed apps carry at least one security finding, against 77% of everything else. Across 21.6 million lines of AI-generated code, we found one issue every 62 lines.\n\n- We scanned\n**424 public projects** built with Lovable, Bolt, v0, and AI-copilot-tagged GitHub repos, totalling**21,632,176 lines of code**. - The scans produced\n**346,944 issues**, or** 16.0 per 1,000 lines of code**. **87%** of projects have at least one security finding. Only**56 of 424** are clean on security.- Security findings are\n**6%** of all findings (21,361 of 346,944). We lead on security because it is the consequential category, not the common one. **14%** of projects shipped at least one leaked secret or hardcoded credential.**98%** of the 206 Supabase-backed projects have at least one security finding, against**77%** of non-Supabase projects, at 2.4x the security-issue density. Supabase-backed apps carry a distinct class of client-side exposure (service-role keys, client-side auth logic, public buckets) that the other stacks avoid by never reaching for a BaaS. The baseline matters: Supabase amplifies the problem, it does not create it.- The single most common HIGH finding,\n*Async Operation Without Error Handling*, appears in**79%** of projects. One caveat worth knowing before that number gets quoted: it fires 138,601 times, which is roughly 68% of every HIGH finding in the corpus, and 10 of our 295 rules produce 88% of all findings. Our severity mix is mostly a statement about a handful of rules.\n\nRanked by **issue density** (issues per 1,000 lines of code, lower is better).\n\n| # | Generator | Repos | Issues / KLOC | Security issues / KLOC | Projects with a security finding | Median issues per project |\n|---|---|---|---|---|---|---|\n| 1 | AI-tagged GitHub (Copilot-assisted) |\n89 | 9.1 |\n0.33 |\n65% | 82 |\n| 2 | Bolt |\n42 | 11.4 |\n0.54 |\n67% | 143 |\n| 3 | v0 |\n110 | 16.6 | 1.11 | 92% | 94 |\n| 4 | Lovable |\n183 | 18.1 |\n1.18 |\n99% |\n644 |\n\n**How stable is this ordering?** The split into a clean tier (Copilot, Bolt) and a dirty tier\n(v0, Lovable) holds across every cut we tried, and it is the part we would defend. The 3rd\nversus 4th placing does not hold. Exclude the Scalability bucket, where our highest-volume\nrule lives, and Lovable and v0 swap (10.4 against 10.8). Lovable is worse on total density,\nsecurity density, security exposure and by a long way on median issues per project, so on\nbalance it does place last, but treat \"Lovable is worse than v0\" as weakly supported.\n\"v0 and Lovable are worse than Bolt and Copilot\" is the finding.\n\n**What separates them.** Bolt and Copilot-assisted repos produce roughly **half** the issue\ndensity of v0 and Lovable, and **a third to a half** of their security-issue density. The gap\nis starkest on security exposure: about two thirds of Bolt and Copilot projects carry at least\none security finding, against **92% for v0 and 99% for Lovable**. Of 183 Lovable projects,\nexactly two are clean on security.\n\nLovable's median project also ships **644 issues**, roughly 4.5x the median of any other\nplatform. Some of that is Supabase: **84%** of Lovable projects are Supabase-backed, against\n3% of Copilot-assisted repos.\n\nIssue density by impact area (issues per KLOC, lower is better):\n\n| Generator | Security | Performance | Scalability | Manageability | Maintainability |\n|---|---|---|---|---|---|\n| AI-tagged GitHub | 0.3 |\n0.7 |\n5.0 |\n1.3 |\n1.7 |\n| Bolt | 0.5 | 1.2 | 5.4 | 2.6 | 1.7 |\n| v0 | 1.1 | 3.6 | 5.8 | 4.0 |\n2.2 |\n| Lovable | 1.2 |\n3.2 | 7.8 |\n2.4 | 3.6 |\n\n**Caveat on the leader.** \"AI-tagged GitHub\" repos are Copilot-*assisted*, not fully\nAI-*generated*. A human drove the architecture and reviewed the output. It is a control group\nrather than a like-for-like competitor, and the fact that it wins is itself the finding: the\nmore of the codebase the model authors unsupervised, the worse the density gets.\n\n**Caveat on the whole table.** These are public repos carrying platform markers. A repo that\nstill has the Lovable README template in it is, almost by definition, one nobody cleaned up,\nand Lovable's users may be newer to software than the average Copilot user. We cannot separate\nthe tool from the person driving it. This ranks what ships from each platform in our sample.\nIt is not a benchmark of model quality.\n\n| Framework | Repos | Issues / KLOC |\n|---|---|---|\n| Other / non-web (mixed languages) | 34 | 9.5 |\n| Node, no framework | 44 | 10.5 |\n| Next.js | 126 | 13.9 |\n| React + Vite | 215 | 17.1 |\n| Remix | 2 | 18.3 |\n| Vue | 2 | 19.2 |\n| React (CRA) | 1 | 26.0 |\n\nReact + Vite, the default output of most prompt-to-app tools, is the dirtiest stack in the corpus at 80% higher issue density than the non-web bucket. The bottom three rows have sample sizes of 1 to 2 repos and are shown only so the table accounts for all 424 projects. Draw nothing from them.\n\nFramework and language are separate cuts, and conflating them is misleading. By language:\nPython **4.0** issues per KLOC across 43 repos, JavaScript **15.3** across 37, TypeScript\n**16.9** across 344. Python's advantage is mostly composition rather than language: Python\nrepos here are disproportionately scripts and backends, not the React SPAs where the\nhigh-frequency rules fire. There is no PHP in this corpus.\n\n| Impact area | Issues | Repos affected |\n|---|---|---|\n| Scalability | 150,212 | 386 |\n| Maintainability | 65,152 | 382 |\n| Performance | 57,821 | 380 |\n| Manageability | 52,236 | 389 |\n| Security | 21,361 | 368 |\n| Architecture | 162 | 29 |\n\nScalability leads this table, and 97% of that bucket is two rules. Read the ordering with that in mind.\n\nCounts in this table are from the full scan before deduplication (see Methodology) and will move by roughly -4% when regenerated. Ordering is unaffected.\n\n| Rule | Area | Severity | Issues | % repos |\n|---|---|---|---|---|\n| Async Operation Without Error Handling | scalability | HIGH | 138,601 | 79% |\n| Synchronous setState Inside useEffect | performance | HIGH | 40,220 | 74% |\n| Nested ternary expression | maintainability | MEDIUM | 34,535 | 78% |\n| console.log Used Instead of Structured Logging | manageability | MEDIUM | 31,441 | 74% |\n| Implicit Boolean Coercion via Double Negation | maintainability | LOW | 23,881 | 73% |\n| Array.forEach() With Async Callback | scalability | MEDIUM | 17,998 | 80% |\n| Network Request Without Timeout | performance | MEDIUM | 12,576 | 71% |\n| Empty Catch Block Swallows Errors | manageability | HIGH | 9,761 | 67% |\n| Wildcard Dependency Version | security | HIGH | 6,038 | 52% |\n| Dynamic Value Bound to href Without URL Validation | security | HIGH | 3,511 | 63% |\n\nThese ten rules are **88% of all findings**, and the five HIGH rules here are **97% of all\nHIGH findings**. Per-rule counts per repo are the cut you would need to re-weight this\nyourself. That column is not in the published CSV yet and it should be. It is the next thing\nwe are adding.\n\nProjects were sampled from public GitHub repositories carrying unambiguous markers of the\ngeneration platform (Lovable/v0/Bolt README templates, AI topics), filtered by size and\nrecency, capped at 2 repos per owner. Each was scanned with the **same deterministic rule\nengine and the same 295 production rules** (Semgrep + regex) that power the Quality Clouds\nHub scanner. **Individual repositories are never named, only aggregate statistics are\npublished.** Full details in [docs/methodology.md](/qualityclouds/state-of-ai-code-2026-/blob/main/docs/methodology.md) and\n[docs/ruleset.md](/qualityclouds/state-of-ai-code-2026-/blob/main/docs/ruleset.md).\n\nAll comparisons in this report are made on **issue density** (issues per 1,000 lines of code)\nrather than raw counts, so that larger projects are not penalised for their size.\n\n**Corrections, 14 July 2026.** An audit of the published CSV before wider release found and\nfixed the following. The dataset contained 8 rows forming 3 groups identical on every field.\nOne repo appeared four times, carrying 477,438 lines, 6.3% of the reported corpus on its own,\nwhich also breached our own 2-per-owner cap. Deduplicating moves the corpus from 429 to 424\nrepos, 23.1M to 21.6M lines and 362,115 to 346,944 issues, and the headline from 15.7 to 16.0\nissues per KLOC. The ranking is unchanged; the duplicated repo was in the Copilot control\ngroup, so removing it improves the leader from 9.5 to 9.1. The framework table previously\nlabelled its buckets with language names: the row called \"Python / PHP\" was the\n`framework == other`\n\nbucket (27 Python, 7 JavaScript, 4 TypeScript) and there is no PHP in the\ncorpus at all. That table also silently dropped 5 repos, including a 444k-line Lovable\nproject. A previous claim that \"52% of Supabase-backed apps have at least one client-side\nsecurity misconfiguration\" could not be reproduced from the published data, which puts the\nfigure at 98%, and has been withdrawn pending a rerun. A previous claim that the ordering was\n\"stable across every independent metric we measured\" was wrong, and a claim that exactly one\nLovable project was clean on security was wrong; the number is two. The severity split, the\nper-rule counts above and the 14% leaked-secret figure are pipeline outputs with no per-repo\ncolumn, so they cannot yet be independently reproduced from this dataset.\n\n| File | Contents |\n|---|---|\n|\n\n[data/vibe-code-2026.json](/qualityclouds/state-of-ai-code-2026-/blob/main/data/vibe-code-2026.json)[data/aggregate-stats.csv](/qualityclouds/state-of-ai-code-2026-/blob/main/data/aggregate-stats.csv)The generator ranking, in five lines. Note `g['loc']`\n\nrather than `g.loc`\n\n: the column is named\n`loc`\n\nand pandas reserves that attribute for the row indexer.\n\n``` python\nimport pandas as pd\nd = pd.read_csv('data/vibe-code-2026.csv')\nd.groupby('origin').apply(\n    lambda g: round(1000 * g.total_issues.sum() / g['loc'].sum(), 1),\n    include_groups=False,\n).sort_values()\n# generic-ai 9.1 | bolt 11.4 | v0 16.6 | lovable 18.1\n```\n\nScan your own repository with the same ruleset at\n[portal.qualityclouds.ai](https://portal.qualityclouds.ai), import your repo and see every\nfinding in minutes.\n\n**Data:** CC-BY-4.0, reuse with attribution · **Pipeline code:** MIT", "url": "https://wpnews.pro/news/one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned", "canonical_source": "https://github.com/qualityclouds/state-of-ai-code-2026-", "published_at": "2026-07-14 17:24:47+00:00", "updated_at": "2026-07-14 17:48:13.876547+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-products", "developer-tools"], "entities": ["Quality Clouds Hub", "Lovable", "Bolt", "v0", "GitHub", "Copilot", "Supabase"], "alternates": {"html": "https://wpnews.pro/news/one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned", "markdown": "https://wpnews.pro/news/one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned.md", "text": "https://wpnews.pro/news/one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned.txt", "jsonld": "https://wpnews.pro/news/one-issue-every-62-lines-21-6m-lines-of-ai-generated-code-scanned.jsonld"}}