Cursor、コードベースのセキュリティレビュー機能を追加 Cursor Security Review

Cursor has expanded Bugbot, the AI-powered review tool integrated into its coding environment, with a new capability that performs security reviews across an entire codebase. The addition addresses a growing concern in software development: as AI-generated code becomes routine, ensuring the safety of that output has emerged as one of the harder problems for engineering teams to solve.

The new feature is designed to scan whole repositories rather than individual diffs, surfacing potential vulnerabilities, insecure implementation patterns, and mishandling of sensitive data such as credentials or secrets. Until now, Bugbot has focused primarily on pull-request-level review, flagging issues within the scope of a single change. The codebase-wide security review marks a shift toward broader, cross-cutting analysis, allowing developers to understand systemic risks rather than only the implications of a specific commit. Findings are intended to be visible before code is merged or deployed, supporting what the industry commonly refers to as a shift-left approach to security.

The context for this release is the rapid acceleration of AI-assisted code generation. Tools such as GitHub Copilot, Anthropic's Claude Code, and Cursor's own Agent functionality are producing code at volumes that human reviewers cannot realistically keep up with. That dynamic has driven renewed interest in static application security testing (SAST) products, with vendors including Snyk, Semgrep, and GitHub Advanced Security all reporting expanded usage. Research published by OpenAI and Anthropic has also highlighted patterns specific to AI-generated code, including reliance on outdated libraries, oversimplified authentication logic, and hardcoded secrets — recurring failure modes that traditional review processes do not always catch quickly enough.

Cursor's approach appears to differentiate itself less through novel detection techniques and more through workflow integration. By keeping security review inside the editor and the existing review loop, the company seems to be betting that reducing context switching to external dashboards or separate scanning pipelines will encourage more consistent use. For developers already working in Cursor, vulnerabilities flagged alongside ordinary code suggestions may be easier to address in the moment than those surfaced hours later in a CI report.

There are open questions about how the feature will perform in practice. False-positive rates remain a perennial issue for SAST tooling, and AI-driven analysis can be particularly prone to plausible-sounding but incorrect findings. Performance on very large repositories — where full-codebase scans can be expensive in both time and compute — is another area that will likely be scrutinized as adoption grows. It also remains unclear how Cursor's offering will coexist with dedicated security platforms; many organizations have established relationships with specialized vendors, and security teams may be reluctant to rely solely on a tool embedded in a developer-facing IDE.

Still, the move reflects a broader trend in which AI coding environments are absorbing functions that were previously handled by separate categories of tooling. Review, testing, and now security analysis are increasingly being framed as features of the editor rather than standalone products. Whether that consolidation ultimately strengthens software security or simply shifts the location of existing weaknesses is something the market will likely take some time to evaluate. For now, Cursor's announcement signals that the major AI coding vendors view secure-by-default output, not just productive output, as a competitive battleground.