AgenticSCR: An Autonomous Agentic Secure Code Review for Immature Vulnerabilities Detection

Abstract: Secure code review is critical at the pre-commit stage, where vulnerabilities must be caught early under tight latency and limited-context constraints. Existing SAST-based checks are noisy and often miss immature, context-dependent vulnerabilities, while standalone LLMs are constrained by context windows and lack explicit tool use. Agentic AI, which combine LLMs with autonomous decision-making, tool invocation, and code navigation, offer a promising alternative, but their effectiveness for pre-commit secure code review is not yet well understood. In this work, we introduce AgenticSCR, an agentic AI for secure code review for detecting immature vulnerabilities during the pre-commit stage, augmented by security-focused semantic memories. Using our own curated benchmark of immature vulnerabilities, tailored to the pre-commit secure code review, we empirically evaluate how accurate is our AgenticSCR for localizing, detecting, and explaining immature vulnerabilities. Our results show that AgenticSCR achieves at least 153% relatively higher percentage of correct code review comments than the static LLM-based baseline, and also substantially surpasses SAST tools. Moreover, AgenticSCR generates more correct comments in four out of five vulnerability types, consistently and significantly outperforming all other baselines. These findings highlight the importance of Agentic Secure Code Review, paving the way towards an emerging research area of immature vulnerability detection.

• The paper introduces AgenticSCR, an autonomous secure code review framework that leverages agentic AI to detect immature vulnerabilities.
• It employs a detector-validate pattern with cognitive memory models, achieving around 17.5% improvement in correct detections and reducing false positives by 71%.
• The system integrates LLMs with semantic security insights, promising enhanced accuracy and reduced development overhead in secure coding practices.

AgenticSCR: Advancements in Autonomous Secure Code Review

Introduction

Secure code review is essential for detecting vulnerabilities before code reaches production. The introduction of AgenticSCR, an agentic AI system, promises advancements in identifying immature vulnerabilities at the pre-commit stage. Existing SAST systems and standalone LLMs fail to adequately address these vulnerabilities due to inherent limitations, such as high false-positive rates and constrained contextual understanding. AgenticSCR addresses these issues by integrating LLMs with autonomous reasoning capabilities, coupled with an overview of contextual and semantic security information.

Overview of AgenticSCR

AgenticSCR is engineered as an autonomous framework for secure code review, particularly focused on detecting immature vulnerabilities during the pre-commit phase. The architecture is designed to incorporate cognitive memory models, including security-focused semantic memory, to enhance decision-making and tool usage capabilities within a CLI-driven environment.

Figure 1: An overview architecture of Agentic Secure Code Review workflow.

The system adopts a detector-validate agentic pattern, whereby the detector identifies potential vulnerabilities, while the validator confirms their security relevance. This pattern ensures high accuracy in identifying genuine threats, reducing false positives typically associated with traditional static analysis tools.

Empirical Evaluation and Results

AgenticSCR's evaluation utilizes the SCRBench dataset, newly created for measuring line-level vulnerability detection and explanation quality in the pre-commit stage. The dataset comprises pre-commit code changes labeled with corresponding CVE and CWE vulnerability types and involves software from diverse repositories.

Figure 2: (RQ1) An example output of AgenticSCR, demonstrating the capability of the validator subagent filtering out irrelevant or invalid secure code review comments.

The empirical analysis reveals that AgenticSCR surpasses traditional SAST tools and static LLM-based techniques. It achieves approximately a 17.5% correctness of code review comments—significantly better than its competitors. Importantly, the number of false-positive comments is reduced by at least 71%, confirming the system's effectiveness in producing precise, meaningful security insights.

Implications and Future Directions

Theoretical Implications: The results underscore the merit of blending agentic AI systems with structured security knowledge bases, improving vulnerability detection performance. The agentic architecture, with its orchestration of detector and validator functions, leverages adaptive reasoning, showing significant promise for more intelligent and responsive code review systems.

Practical Implications: For software development practices, AgenticSCR offers a tangible leap forward in embedding security deeper into the programming lifecycle. Its deployment reduces the overhead of false positives, thereby increasing developer trust and ensuring more consistent security compliance.

Future Directions: Progressive development of AgenticSCR can focus on expanding its semantic memory to incorporate dynamic coding contexts and integrate cross-platform capabilities, allowing greater flexibility and adaptability to diverse coding environments. Further, the potential for real-time feedback and integration into continuous integration pipelines denotes a promising area of research.

Conclusion

AgenticSCR's innovative agentic system advances secure code review by addressing the limitations of legacy tools and enhancing the precision of vulnerability detection. Its strategic integration of LLMs and agentic AI with rich security-focused semantic memory marks a significant development in reducing immature vulnerabilities, promising improvements in software security assurance across industries.