Detecting Vulnerability-Inducing Commits via Multi-Stage Reasoning with LLM-Based Agents

· Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Expert, extended

Summary

VIC-RAGENT is an LLM-based multi-agent framework designed to detect vulnerability-inducing commits (VICs) at submission time, enhancing software security. It employs specialized agents for structural analysis, intent understanding, and multi-stage vulnerability inspection, including preliminary analysis, reanalysis, and a final decision. The framework integrates code diffs, commit messages, and contextual code, supported by a vulnerability knowledge base for retrieval-augmented reasoning. Evaluated on the V-SZZ dataset with 241 commits (106 VICs, 135 VFCs), VIC-RAGENT consistently outperformed baselines like Direct, CoT, and CodeAgent across DeepSeek-V3.2, Qwen-Plus, and GPT-4o-mini. It achieved 1.2–1.7× higher F1-scores and up to 2× recall improvement over the strongest baseline, demonstrating robust and explainable detection.

Key takeaway

For AI Security Engineers integrating LLMs into CI/CD pipelines, consider adopting a multi-agent, multi-stage framework like VIC-RAGENT. Its structured approach significantly boosts recall and F1-scores in detecting vulnerability-inducing commits, crucial for preventing supply chain attacks. You should prioritize frameworks that offer explainability and leverage knowledge bases for robust, continuously improving security analysis, even if it incurs a moderate increase in computational cost.

Key insights

A multi-agent, multi-stage LLM framework significantly improves vulnerability-inducing commit detection and explainability.

Principles

Method

VIC-RAGENT uses Code Analyst and Target Analyst for preparation, then a Vulnerability Inspector performs preliminary inspection, reanalysis (with knowledge base retrieval), and a final decision stage. A Document Specialist generates reports.

In practice

Topics

Code references

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.