Table of Contents
Fetching ...

AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection

Wachiraphan Charoenwet, Kla Tantithamthavorn, Patanamon Thongtanunam, Hong Yi Lin, Minwoo Jeong, Ming Wu

TL;DR

AgenticSCR addresses the challenge of immature vulnerabilities at the pre-commit stage by combining LLM-based reasoning with autonomous subagents, repository-aware perception, and memory. It uses a detector-validator chain, memory modules, and a diff-centric input pipeline to localize, detect, and explain vulnerabilities while grounding reasoning in SAST rules and CWE taxonomy. On SCRBench, AgenticSCR achieves higher localization, relevance, and vulnerability-type correctness with fewer total comments than static LLM baselines and SAST tools, demonstrating the value of security-grounded agentic reasoning for shift-left security. The work suggests that memory-augmented agentic AI can effectively detect immature vulnerabilities early in the software development lifecycle, paving the way for practical, context-aware pre-commit secure code review.

Abstract

Secure code review is critical at the pre-commit stage, where vulnerabilities must be caught early under tight latency and limited-context constraints. Existing SAST-based checks are noisy and often miss immature, context-dependent vulnerabilities, while standalone Large Language Models (LLMs) are constrained by context windows and lack explicit tool use. Agentic AI, which combine LLMs with autonomous decision-making, tool invocation, and code navigation, offer a promising alternative, but their effectiveness for pre-commit secure code review is not yet well understood. In this work, we introduce AgenticSCR, an agentic AI for secure code review for detecting immature vulnerabilities during the pre-commit stage, augmented by security-focused semantic memories. Using our own curated benchmark of immature vulnerabilities, tailored to the pre-commit secure code review, we empirically evaluate how accurate is our AgenticSCR for localizing, detecting, and explaining immature vulnerabilities. Our results show that AgenticSCR achieves at least 153% relatively higher percentage of correct code review comments than the static LLM-based baseline, and also substantially surpasses SAST tools. Moreover, AgenticSCR generates more correct comments in four out of five vulnerability types, consistently and significantly outperforming all other baselines. These findings highlight the importance of Agentic Secure Code Review, paving the way towards an emerging research area of immature vulnerability detection.

AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection

TL;DR

AgenticSCR addresses the challenge of immature vulnerabilities at the pre-commit stage by combining LLM-based reasoning with autonomous subagents, repository-aware perception, and memory. It uses a detector-validator chain, memory modules, and a diff-centric input pipeline to localize, detect, and explain vulnerabilities while grounding reasoning in SAST rules and CWE taxonomy. On SCRBench, AgenticSCR achieves higher localization, relevance, and vulnerability-type correctness with fewer total comments than static LLM baselines and SAST tools, demonstrating the value of security-grounded agentic reasoning for shift-left security. The work suggests that memory-augmented agentic AI can effectively detect immature vulnerabilities early in the software development lifecycle, paving the way for practical, context-aware pre-commit secure code review.

Abstract

Secure code review is critical at the pre-commit stage, where vulnerabilities must be caught early under tight latency and limited-context constraints. Existing SAST-based checks are noisy and often miss immature, context-dependent vulnerabilities, while standalone Large Language Models (LLMs) are constrained by context windows and lack explicit tool use. Agentic AI, which combine LLMs with autonomous decision-making, tool invocation, and code navigation, offer a promising alternative, but their effectiveness for pre-commit secure code review is not yet well understood. In this work, we introduce AgenticSCR, an agentic AI for secure code review for detecting immature vulnerabilities during the pre-commit stage, augmented by security-focused semantic memories. Using our own curated benchmark of immature vulnerabilities, tailored to the pre-commit secure code review, we empirically evaluate how accurate is our AgenticSCR for localizing, detecting, and explaining immature vulnerabilities. Our results show that AgenticSCR achieves at least 153% relatively higher percentage of correct code review comments than the static LLM-based baseline, and also substantially surpasses SAST tools. Moreover, AgenticSCR generates more correct comments in four out of five vulnerability types, consistently and significantly outperforming all other baselines. These findings highlight the importance of Agentic Secure Code Review, paving the way towards an emerging research area of immature vulnerability detection.
Paper Structure (24 sections, 1 equation, 3 figures, 4 tables)

This paper contains 24 sections, 1 equation, 3 figures, 4 tables.

Figures (3)

  • Figure 1: A visual comparison of the pre-commit secure code review compared to the pull request-based secure code review practices.
  • Figure 2: An overview architecture of Agentic Secure Code Review workflow.
  • Figure 3: (RQ1) An example output of AgenticSCR, demonstrating the capability of the validator subagent filtering out irrelevant or invalid secure code review comments.