Table of Contents
Fetching ...

Agentic AI for Autonomous Defense in Software Supply Chain Security: Beyond Provenance to Vulnerability Mitigation

Toqeer Ali Syed, Mohammad Riyaz Belgaum, Salman Jan, Asadullah Abdullah Khan, Saad Said Alqahtani

TL;DR

This paper tackles the rising risk of software supply chain attacks by arguing that provenance alone cannot prevent active threats. It proposes an agentic AI framework that fuses LLM-based reasoning, reinforcement learning, and multi-agent orchestration (via LangChain/LangGraph) with MCP integration and a blockchain ledger to autonomously detect and mitigate vulnerabilities throughout CI/CD pipelines. The approach demonstrates improved detection and faster, autonomous mitigation across multiple vulnerability classes in both simulated and real pipelines, with acceptable performance overhead and strong auditability. This work advances the vision of self-defending software supply chains by moving from reactive verification to proactive, explainable defense that continuously protects artifacts before and during deployment.

Abstract

The software supply chain attacks are becoming more and more focused on trusted development and delivery procedures, so the conventional post-build integrity mechanisms cannot be used anymore. The available frameworks like SLSA, SBOM and in toto are majorly used to offer provenance and traceability but do not have the capabilities of actively identifying and removing vulnerabilities in software production. The current paper includes an example of agentic artificial intelligence (AI) based on autonomous software supply chain security that combines large language model (LLM)-based reasoning, reinforcement learning (RL), and multi-agent coordination. The suggested system utilizes specialized security agents coordinated with the help of LangChain and LangGraph, communicates with actual CI/CD environments with the Model Context Protocol (MCP), and documents all the observations and actions in a blockchain security ledger to ensure integrity and auditing. Reinforcement learning can be used to achieve adaptive mitigation strategies that consider the balance between security effectiveness and the operational overhead, and LLMs can be used to achieve semantic vulnerability analysis, as well as explainable decisions. This framework is tested based on simulated pipelines, as well as, actual world CI/CD integrations on GitHub Actions and Jenkins, including injection attacks, insecure deserialization, access control violations, and configuration errors. Experimental outcomes indicate better detection accuracy, shorter mitigation latency and reasonable build-time overhead than rule-based, provenance only and RL only baselines. These results show that agentic AI can facilitate the transition to self defending, proactive software supply chains rather than reactive verification ones.

Agentic AI for Autonomous Defense in Software Supply Chain Security: Beyond Provenance to Vulnerability Mitigation

TL;DR

This paper tackles the rising risk of software supply chain attacks by arguing that provenance alone cannot prevent active threats. It proposes an agentic AI framework that fuses LLM-based reasoning, reinforcement learning, and multi-agent orchestration (via LangChain/LangGraph) with MCP integration and a blockchain ledger to autonomously detect and mitigate vulnerabilities throughout CI/CD pipelines. The approach demonstrates improved detection and faster, autonomous mitigation across multiple vulnerability classes in both simulated and real pipelines, with acceptable performance overhead and strong auditability. This work advances the vision of self-defending software supply chains by moving from reactive verification to proactive, explainable defense that continuously protects artifacts before and during deployment.

Abstract

The software supply chain attacks are becoming more and more focused on trusted development and delivery procedures, so the conventional post-build integrity mechanisms cannot be used anymore. The available frameworks like SLSA, SBOM and in toto are majorly used to offer provenance and traceability but do not have the capabilities of actively identifying and removing vulnerabilities in software production. The current paper includes an example of agentic artificial intelligence (AI) based on autonomous software supply chain security that combines large language model (LLM)-based reasoning, reinforcement learning (RL), and multi-agent coordination. The suggested system utilizes specialized security agents coordinated with the help of LangChain and LangGraph, communicates with actual CI/CD environments with the Model Context Protocol (MCP), and documents all the observations and actions in a blockchain security ledger to ensure integrity and auditing. Reinforcement learning can be used to achieve adaptive mitigation strategies that consider the balance between security effectiveness and the operational overhead, and LLMs can be used to achieve semantic vulnerability analysis, as well as explainable decisions. This framework is tested based on simulated pipelines, as well as, actual world CI/CD integrations on GitHub Actions and Jenkins, including injection attacks, insecure deserialization, access control violations, and configuration errors. Experimental outcomes indicate better detection accuracy, shorter mitigation latency and reasonable build-time overhead than rule-based, provenance only and RL only baselines. These results show that agentic AI can facilitate the transition to self defending, proactive software supply chains rather than reactive verification ones.
Paper Structure (29 sections, 3 equations, 4 figures, 1 table)

This paper contains 29 sections, 3 equations, 4 figures, 1 table.

Figures (4)

  • Figure 1: Agentic AI framework for software supply chain security. Software supply chain inputs are accessed via the Model Context Protocol (MCP) and analyzed by multiple specialized agents coordinated using LangChain and LangGraph. LLM-based reasoning and reinforcement learning enable adaptive mitigation decisions, while all actions are recorded in a blockchain-backed security ledger for integrity and auditability.
  • Figure 2: F1-score comparison by vulnerability class.
  • Figure 3: Average mitigation latency across CI/CD runs.
  • Figure 4: CI/CD build time overhead comparison.