Of three leading coding agents evaluated (Claude, Codex, and Gemini), Codex finishes with the fewest vulnerabilities and demonstrates stronger remediation behavior during development.

26 of 30 pull requests (87%) introduce at least one vulnerability.

143 security issues are identified across 38 security scans.

No AI coding agent evaluated (Claude, Codex, and Gemini) produced a fully secure application.

Four authentication-related weaknesses appeared in every final codebase: insecure JWT verification and management; lack of application-level brute force protections; exposure to token replay attacks; and insecure defaults for refresh token cookie configurations.

Anthropic's Claude produced the highest number of unresolved high-severity vulnerabilities in the final applications.