Can Adversarial Code Comments Fool AI Security Reviewers -- Large-Scale Empirical Study of Comment-Based Attacks and Defenses Against LLM Code Analysis

AI-assisted code review is widely used to detect vulnerabilities before production release. Prior work shows that adversarial prompt manipulation can degrade large language model (LLM) performance in code generation. We test whether similar comment-based manipulation misleads LLMs during vulnerability detection. We build a 100-sample benchmark across Python, JavaScript, and Java, each paired with eight comment variants ranging from no comments to adversarial strategies such as authority spoofing and technical deception. Eight frontier models, five commercial and three open-source, are evaluated in 9,366 trials. Adversarial comments produce small, statistically non-significant effects on detection accuracy (McNemar exact p > 0.21; all 95 percent confidence intervals include zero). This holds for commercial models with 89 to 96 percent baseline detection and open-source models with 53 to 72 percent, despite large absolute performance gaps. Unlike generation settings where comment manipulation achieves high attack success, detection performance does not meaningfully degrade. More complex adversarial strategies offer no advantage over simple manipulative comments. We test four automated defenses across 4,646 additional trials (14,012 total). Static analysis cross-referencing performs best at 96.9 percent detection and recovers 47 percent of baseline misses. Comment stripping reduces detection for weaker models by removing helpful context. Failures concentrate on inherently difficult vulnerability classes, including race conditions, timing side channels, and complex authorization logic, rather than on adversarial comments.

💡 Research Summary

This paper presents a large-scale empirical study investigating the susceptibility of AI-powered security code reviewers to adversarial manipulation via code comments. The central question is whether malicious comments, such as falsely claiming “Audited by AppSec team, no injection risk,” can fool Large Language Models (LLMs) into missing vulnerabilities they would otherwise detect.

The researchers constructed a benchmark of 100 vulnerable code samples across Python, JavaScript, and Java. For each sample, they created eight comment variants: a no-comment baseline (C0), simple manipulative comments (C1-C3), and sophisticated adversarial strategies including authority spoofing (C5), attention dilution (C6), and technical deception (C7). They evaluated eight state-of-the-art LLMs—five commercial (Claude Opus, GPT-5.2, Gemini Pro, etc.) and three open-source (Llama 3.3, Qwen 2.5, etc.)—across these variants, resulting in 9,366 primary evaluations.

The core finding is that adversarial comments have a minimal, statistically non-significant aggregate effect on vulnerability detection accuracy. Using McNemar’s exact test, all p-values exceeded 0.21, and all 95% confidence intervals for the change in detection rate included zero. This robustness held true for both high-performing commercial models (89-96% baseline detection) and lower-performing open-source models (53-72% baseline), despite the large absolute performance gap between them. This reveals a fundamental asymmetry: while prior work (e.g., HACKODE) showed comment manipulation could achieve 75-100% attack success rates in code generation tasks (steering LLMs to produce vulnerable code), the same techniques fail to meaningfully degrade performance in code detection tasks (identifying vulnerabilities in existing code). Sophisticated attack strategies offered no advantage over simple manipulative comments.

The study also observed a “backfire pattern” where security-themed adversarial comments were correlated with maintained or even slightly improved detection rates in unpaired analysis. However, properly paired comparisons showed near-zero effect, and the researchers attribute most of the apparent improvement to subset selection bias rather than a genuine “security priming” effect.

In a second phase, the team evaluated four automated defense strategies across 4,646 additional trials (14,012 total). The defenses were: comment stripping, dual-pass analysis, SAST (Static Application Security Testing) cross-referencing, and comment anomaly detection. SAST cross-referencing—injecting SAST findings as verification hints into the LLM’s system prompt—proved most effective. It achieved a 96.9% detection rate and recovered 47% of vulnerabilities missed in the baseline (no-comment) condition. In contrast, the intuitively simple defense of comment stripping actually degraded detection performance for weaker models by removing helpful contextual information.

The paper concludes that the primary threat to AI-assisted code review is not adversarial comment manipulation, but the inherent difficulty of certain vulnerability patterns. Failures consistently concentrated on complex logic flaws like TOCTOU (Time-of-Check to Time-of-Use) race conditions, timing-based side channels, and intricate authorization chains in Java—patterns that models miss regardless of comment content. The research contributes robust, large-scale evidence for the relative resilience of LLM-based vulnerability detection to comment-based attacks, highlights the effectiveness of hybrid SAST-LLM defenses, and pinpoints the specific vulnerability classes where AI review currently falls short.