Agentic AI for Autonomous Risk Triage and False Positive Reduction in Static Security Analysis
Bakane, Sumit (2025-08-18)
Agentic AI for Autonomous Risk Triage and False Positive Reduction in Static Security Analysis
(18.08.2025)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2025091195578
https://urn.fi/URN:NBN:fi-fe2025091195578
Tiivistelmä
To detect the flaws early in the software development cycle, static security analysis techniques are largely adopted in modern software development. These tools, however, have poor risk prioritization abilities, fragmented results, and high false positives that result in substantial manual effort and delayed or even ignored fixing. Additionally, as software development increasingly relies on automated security tools, the challenge of managing high volumes of false alerts has become critical.
Through the integration of rule-based heuristics and large language model-based reasoning in a modular, agent-based framework, this thesis proposes a novel Agentic AI system that aims to work on these limitations. The system normalizes the output of various static analysis tools, such as GitLeaks (detection of secrets), OWASP Dependency-Check (SCA), and Semgrep (SAST), into one schema prior to sending it through a pipeline of autonomous agents. This normalisation process makes this approach tool-friendly, as any security tool can be easily integrated with Agentic AI architecture through normalisation layer.
By employing a multi-layered architecture within the CI/CD Pipelines, the system processes raw outputs into actionable insights, significantly improving developer efficiency and trust in security tools. Empirical evaluation demonstrates a 31% reduction in false positives, alongside improved risk prioritization and user engagement through a web-based dashboard.
In addition, the system is compliant with popular secure development guidelines, including OWASP SAMM, BSIMM, and NIST SSDF, that ensure compliance with standards, auditing, and traceability. Overall, this research contributes to the field of application security by providing a scalable, intelligent solution that aligns with industry standards and enhances the overall security posture of software development lifecycles.
Through the integration of rule-based heuristics and large language model-based reasoning in a modular, agent-based framework, this thesis proposes a novel Agentic AI system that aims to work on these limitations. The system normalizes the output of various static analysis tools, such as GitLeaks (detection of secrets), OWASP Dependency-Check (SCA), and Semgrep (SAST), into one schema prior to sending it through a pipeline of autonomous agents. This normalisation process makes this approach tool-friendly, as any security tool can be easily integrated with Agentic AI architecture through normalisation layer.
By employing a multi-layered architecture within the CI/CD Pipelines, the system processes raw outputs into actionable insights, significantly improving developer efficiency and trust in security tools. Empirical evaluation demonstrates a 31% reduction in false positives, alongside improved risk prioritization and user engagement through a web-based dashboard.
In addition, the system is compliant with popular secure development guidelines, including OWASP SAMM, BSIMM, and NIST SSDF, that ensure compliance with standards, auditing, and traceability. Overall, this research contributes to the field of application security by providing a scalable, intelligent solution that aligns with industry standards and enhances the overall security posture of software development lifecycles.