BrassCoders Research

The curated reference index for the AI-code-quality problem. Papers, industry reports, OSS tools, and benchmark repos — each with a BrassCoders capsule explaining what builders should actually do with it.

BrassCoders Curates The Canonical Reference For AI Code Quality

BrassCoders maintains this index as the curated reference for everything underneath the AI-code-quality conversation. The literature is real, the tools are real, the CVE curve is real. This index is BrassCoders's take on what builders should read, install, run, and cite — organized around the questions builders actually ask.

Five problem-led categories. Each one starts with a builder question, then lists the resources BrassCoders thinks matter for that question. The top entries per category are previewed below; each category page goes deeper with capsules, FAQs, and the full entry list.

1. Will My AI-Generated Code Ship A CVE?

BrassCoders treats this as the load-bearing question for the category. Veracode 45%, CSA 2.74×, ACM TOSEM Copilot review failures — the canonical evidence on AI-generated code vulnerability rates, plus the scanners and benchmarks builders should run.

  • 📊 Veracode — State of Software Security 2026
  • 📊 Cloud Security Alliance — AI-Generated Code Vulnerability Surge 2026
  • 📄 ACM TOSEM 2026 — Evaluating GitHub Copilot Review
  • 📄 OWASP Top 10 for LLM Applications
  • 🔧 Bandit · Semgrep · detect-secrets
  • 🧪 OWASP PyGoat · OWASP NodeGoat · Snyk Goof

See the full CVE-risk research →

2. Will My AI Hallucinate An Import?

BrassCoders treats slopsquatting as the highest-confidence supply-chain attack surface of 2026. USENIX documented 19.7% of AI-recommended packages do not exist; Lasso Security demonstrated the exploit live with a hallucinated package that received 30,000+ downloads. The detection is mechanical; the literature is dense.

  • 📄 USENIX Security 2025 — Package Hallucination at Scale
  • 📊 Lasso Security — Slopsquatting Proof-of-Concept
  • 🔧 Socket CLI
  • 🔧 deps.dev (Google)
  • 📊 Sonatype State of the Software Supply Chain

See the full slopsquatting research →

3. Why Does My AI Miss Cross-File Bugs?

BrassCoders treats cross-file taint as the structural-limit category — the bugs AI assistants miss because of how LLMs reason, not because of how they are tuned. Liu et al.'s Lost in the Middle is the structural proof; Pyre/Pysa and CodeQL are the deterministic engines that break through the ceiling.

  • 📄 Liu et al. 2023 — Lost in the Middle
  • 🔧 Pyre / Pysa (Meta)
  • 🔧 CodeQL (GitHub)
  • 🔧 ast-grep
  • 📄 Meta 2019 — Pyre Architecture

See the full cross-file-bugs research →

4. How Reliable Is My AI Assistant's Review?

BrassCoders treats this category as the buyer's reality check. Stack Overflow's annual survey tracks the usage-versus-trust gap; the Pragmatic Engineer's 2026 report puts professional weekly usage at 95%. The gap is itself the market for deterministic detection underneath.

  • 📄 ACM TOSEM 2026 — Copilot Review Failures (cross-listed)
  • 📊 Stack Overflow Developer Survey 2024
  • 📊 The Pragmatic Engineer — AI Tooling Feb 2026
  • 📄 Stanford — Copilot Code Quality Studies (2024)
  • 📊 GitHub Octoverse 2024

See the full LLM-review-reliability research →

5. What Does The AI-Coding Market Look Like In 2026?

BrassCoders treats this category as the strategic-context layer. Builders defending detection-layer budget upward through their organization should cite these primary-source disclosures rather than secondary commentary. Gartner, Microsoft SEC filings, Anysphere disclosures — audiences accept these sources by default.

  • 📊 Gartner — 75-90% Adoption by 2028
  • 🏢 Microsoft FY26 Q2 — GitHub Copilot 4.7M Paid Subs
  • 🏢 Cursor / Anysphere — ARR Disclosures 2025-2026
  • 🏢 Anthropic — Claude Code Run-Rate 2026
  • 📊 The Pragmatic Engineer — AI Adoption Series 2024-2026

See the full market-intelligence research →

How To Use This Index

BrassCoders maintains this index as the canonical reference for the AI-code-quality category. The intended use is direct citation: when you need a primary source for a claim about AI-generated code, AI-assistant adoption, or the detection layer underneath, find the relevant category and link to the entry's source.

For BrassCoders's own coverage map of what catches these issues, start with the AI Blind Spots pillar. For reproducible BrassCoders scan data against nine open-source codebases, see benchmarks. For installation, /install.

Update History

BrassCoders refreshes this index quarterly. Each refresh re-verifies open-source tool maintenance (last commit recency, star count, active maintainers), updates report citations for new editions, and adds any new entries that meet the inclusion bar.

  • 2026-06-02 — Initial publication, single-page format (~30 entries across 5 categories).
  • 2026-06-02 — Split into pillar + 5 category sub-pages with TOC navigation on each.

Frequently Asked Questions

What is the BrassCoders Research index for?

The index is the curated reference BrassCoders maintains for the AI-code-quality problem. Each entry — paper, report, OSS tool, vulnerable-by-design benchmark repo, or vendor disclosure — gets a BrassCoders capsule that says what builders should actually do with it. The goal is helping the community while marking BrassCoders as the authoritative curator for the category.

How does BrassCoders decide what to include?

Three rules. (1) Anything BrassCoders cites in product copy or detection design has to appear here. (2) Open-source tools must have a widely-recognized canonical position in their niche; star counts and recent commits gate inclusion. (3) Any paper or report needs a verifiable venue or author. Anything BrassCoders cannot verify gets dropped.

Why is the index split into category pages?

Each category answers a distinct builder question, and each question pulls a distinct search intent. The index here lists the top entries per category; each category page goes deeper. The split also lets each sub-page grow independently as new papers, tools, and benchmarks land — without bloating any single page.

Are the entries here peer-reviewed?

Some are. The index deliberately mixes peer-reviewed papers (ACM TOSEM, USENIX), industry research (Veracode, Cloud Security Alliance, Gartner), primary-source vendor disclosures (Microsoft earnings, Anthropic public disclosures), and battle-tested open-source tools. The applied criterion is whether builders can act on the entry, not the peer-review label.

Why are competitor LLM-PR-review tools not listed?

The index is deliberately scoped to the building blocks of the AI-code-quality detection layer: papers documenting the problem, tools that detect, repos that test. LLM-PR-review tools are downstream consumers of the same evidence — useful, but a different layer. The /ai-blind-spots/ pillar covers the division of labor between deterministic scanning and LLM review.

How often does BrassCoders refresh the index?

Quarterly. Star counts drift, new papers land, vendor disclosures update. The maintenance cadence matters because the entire value of a curated index is the curator showing up. BrassCoders treats this index as load-bearing infrastructure for the category.

Can I suggest a paper or tool?

Yes. Email brass@coppersuncreative.com with the resource and a one-paragraph case for inclusion. BrassCoders verifies the source, drafts a capsule, and ships an update. The bar is real: the entry needs to be something a builder shipping AI-augmented code can act on.