Closing the Loop: Agentic AI for Continuous Vulnerability Detection, Validation, and Remediation
DOI:
https://doi.org/10.63282/3050-9262.IJAIDSML-V7I1P143Keywords:
Agentic AI, Software Vulnerability Management, Automated Remediation, CI/CD Security, DevSecOps, Continuous Security ValidationAbstract
In recent years, new agile models of software development have emerged that promote iterative and continuous integration and deployment of software solutions. This increases complexity and raises the attack surface of software systems. Although there are many security analysis solutions that target vulnerability analysis of software solutions, these solutions and others have mainly addressed identification and lackingly address remediation and post-fixing validation that remains largely an expensive and error-prone process. This paper describes an end-to-end agentic AI system designed to complete the security loop by linking continuous vulnerability scanning and remediation suggestions and validation after remediation is applied. This model combines a collection of cooperative individual AI agents that are orchestrated to jointly analyze source code, third-party library dependencies and execution environment artifacts in CI/CD pipelines. This approach is distinct from prior CVE-fix-based solutions as it tracks vulnerability lifecycles while iterating over code and scanning to contextualize vulnerabilities. Additionally, our approach leads to a set of actionable metrics that are one step away from remediation time – for example: true positive persistence; false positive resolution (on per-file-basis); and remediation latency/accuracy. Through experiments on real open-source code repositories integrated into CI/CD pipelines, the evaluation demonstrates that the proposed approach significantly reduces remediating time, redundant vulnerabilities and automation uncertainty in security analyses. With the integration of vulnerability management into a developer’s automation of software operation, this new agentive AI-for-security framework is unique compared to previous DevSecOps by also using an epistemic frame for securing software.
References
[1] B. Chess and G. McGraw, “Static analysis for security,” in IEEE Security & Privacy. 2, no. 6, pp. 76–79, 2004.
[2] V. B. Livshits, J. Whaley, M. S. Lam, et al., “Using static analysis to find security vulnerabilities,” Commun.Appl.Comput Softw:specissueSoft EngComputSecur 22(1), pp.40-45(April2005) لع … nam el a ot s a f ed c Exlif o u!alesceesll ( e hdaıtauiNutrue %riv`is t x. ACM, vol. 48, no. 12, pp. 76–84, 2005.
[3] D. OWASP Foundation, “OWASP Testing Guide v4,” OWASP, 2014.
[4] H. Myrbakken and R. Colomo-Palacios, “DevSecOps: A multivocal literature review,” Int. Conf. Software Engineering Advances, 2017.
[5] A. Rahman, L. Williams, and T. Meneely, “Continuous security testing in DevOps,” IEEE Software, vol.". 33, no. 5, pp. 70–76, 2016.
[6] I. Pashchenko, F. Massacci, A. Plate, and A. Sabetta, “Vulnerability propagation in dependency graphs”, Proc. ACM CCS, 2018.
[7] A. Decan, T. Mens, and E. Constantinou, “On the influence of security vulnerabilities in open source dependencies,” Empirical Software Engineering, vol. 24, no. 5, pp. 1–37, 2019.
[8] Y. Zhou, S. Liu, J. Siow, et al., “Devign: Effective vulnerability identification by learning comprehensive program semantics,” in NeurIPS, 2019.
[9] Z. Li, D. Zou, S. Xu, et al., “SySeVR: A framework for employing deep learn- ing to identify software vulnerabilities,” IEEE TDSC, vol. 19, no. 4, pp. 2244–2258, 2022.]
[10] S. Wang, T. Liu, and L. Tan, “Automatically learning semantic features for defect prediction,” in ICSE, 2016.
[11] G. Lin, J. Zhang, W. Luo, et al., “Cross-project transfer learning for vulnerability detection,” in IEEE Access, vol. 6, pp. 68759–68771, 2018.
[12] J. Harer, O. Ozdemir, T. Lazovich, et al., “Automated Software Vulnerability Detection with Deep Learning,” arXiv:1803.04497 (2018).
[13] H. Pearce, B. Tan, B. Dolan- Gavitt, and E. Karahalios, “Asleep at the keyboard? A study of the security of contributions authored by GitHub Copilot,” IEEE S&P, 2022.
[14] D. Sobania, M. Briesch and F. Steffen, "An empirical study of large language models for vulnerability detection," Empirical Software Engineering 2023
[15] S. Russell and P. Norvig, “Artificial Intelligence: A Modern Approach,” 4 ed., Pearson, 2020.
[16] Vemula, V. R. (2025).AI-Powered Framework for Proactive Monitoring of Dark Web Marketplaces and Prediction of Emergent Cybercrime Trends.
