[2604.03587] SecPI: Secure Code Generation with Reasoning Models via Security Reasoning Internalization

Computer Science > Cryptography and Security arXiv:2604.03587 (cs) [Submitted on 4 Apr 2026] Title:SecPI: Secure Code Generation with Reasoning Models via Security Reasoning Internalization Authors:Hao Wang, Niels Mündler, Mark Vero, Jingxuan He, Dawn Song, Martin Vechev View a PDF of the paper titled SecPI: Secure Code Generation with Reasoning Models via Security Reasoning Internalization, by Hao Wang and 5 other authors View PDF HTML (experimental) Abstract:Reasoning language models (RLMs) are increasingly used in programming. Yet, even state-of-the-art RLMs frequently introduce critical security vulnerabilities in generated code. Prior training-based approaches for secure code generation face a critical limitation that prevents their direct application to RLMs: they rely on costly, manually curated security datasets covering only a limited set of vulnerabilities. At the inference level, generic security reminders consistently degrade functional correctness while triggering only shallow ad-hoc vulnerability analysis. To address these problems, we present SecPI, a fine-tuning pipeline that teaches RLMs to internalize structured security reasoning, producing secure code by default without any security instructions at inference time. SecPI filters existing general-purpose coding datasets for security-relevant tasks using an LLM-based classifier, generates high-quality security reasoning traces with a teacher model guided by a structured prompt that systematically enumerate...