How Agentic AI Enables Several Agents To Jointly Detect, Fix, And Verify Security Vulnerabilities In The Codebase

|

Modern software systems are increasingly complex, interconnected, and vulnerable to a growing range of security threats. As a result, traditional static and manual code audits can no longer keep pace. This has led to the emergence of Agentic AI, a new paradigm where multiple intelligent agents collaborate autonomously to perform critical tasks in software security: detecting, fixing, and verifying vulnerabilities in codebases.

In this article, we explore how Agentic AI works in a multi-agent system to secure codebases, highlight the architecture, and provide coding examples demonstrating how agents can be coordinated for secure code remediation.

Understanding Agentic AI in the Context of Software Security

Agentic AI refers to systems composed of multiple autonomous, goal-driven agents that communicate, coordinate, and act independently or jointly to achieve a broader objective. In a security-oriented software engineering context, agents are specialized:

  • Scanner Agent – Scans the codebase for known and unknown vulnerabilities.

  • Fixer Agent – Applies security patches or rewrites vulnerable code.

  • Verifier Agent – Runs tests and formal checks to ensure the fix resolves the issue and doesn’t introduce regressions.

  • Supervisor Agent – Orchestrates workflows and ensures consensus among agents.

These agents interact using protocols like JSON-RPC, REST, or even LLM-mediated message passing (e.g., via LangChain or OpenAgents frameworks).

A Realistic Scenario: SQL Injection in a Web Application

Let’s illustrate Agentic AI with a concrete scenario: detecting, fixing, and verifying a SQL injection vulnerability in a Node.js Express web app using raw SQL.

Here’s the vulnerable code:

javascript
// userController.js
app.post('/login', async (req, res) => {
const { username, password } = req.body;
const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
const result = await db.query(query);
if (result.length > 0) {
res.send('Login successful');
} else {
res.status(401).send('Unauthorized');
}
});

This is a classic SQL injection flaw. Let’s explore how Agentic AI can resolve this.

Vulnerability Detection by the Scanner Agent

The Scanner Agent performs static analysis and optionally fuzz testing. It uses pattern recognition and LLMs to identify dangerous code constructs.

Example implementation using a simple LLM wrapper:

python
# scanner_agent.py
from openai import OpenAI
import redef detect_vulnerabilities(code: str) -> list:
if re.search(r”SELECT \* FROM .*WHERE.*[‘\”]\s*\+\s*\w+”, code):
return [{“type”: “SQL Injection”, “location”: “userController.js”, “line”: 3}]
return []# Simulated scan
vulns = detect_vulnerabilities(open(“userController.js”).read())
print(vulns)

In a full Agentic setup, this result is passed as a message to the Fixer Agent.

Fixing Vulnerabilities with the Fixer Agent

The Fixer Agent receives a vulnerability report and refactors the code. It might use context-aware refactoring with AST parsing or LLM-powered patch generation.

Example (LLM-style transformation):

python
# fixer_agent.py
def fix_sql_injection(code: str) -> str:
secure_code = code.replace(
"const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;",
"const query = 'SELECT * FROM users WHERE username = ? AND password = ?';\n const result = await db.query(query, [username, password]);"
)
return secure_codefixed_code = fix_sql_injection(open(“userController.js”).read())
with open(“userController_fixed.js”, “w”) as f:
f.write(fixed_code)

This code now uses parameterized queries, which eliminate SQL injection risks.

Verifying the Fix with the Verifier Agent

The Verifier Agent ensures that the fix does not regress functionality and that the vulnerability is resolved. It can execute unit tests, dynamic analysis, or formal verification.

Example:

javascript
// test/login.test.js
const request = require('supertest');
const app = require('../app');describe(‘SQL Injection Test’, () => {
it(‘should not allow SQL injection’, async () => {
const response = await request(app)
.post(‘/login’)
.send({ username: “‘ OR 1=1 –“, password: “anything” });expect(response.statusCode).toBe(401); // Should be unauthorized
});
});

The Verifier Agent runs this test:

bash
# verifier_agent.sh
npm test test/login.test.js

If the test passes, the Verifier Agent sends a success message to the Supervisor Agent.

Orchestration by the Supervisor Agent

The Supervisor Agent coordinates all agents, tracks statuses, and optionally provides explanations or decisions back to human developers.

Here’s an abstracted message flow in JSON:

json
{
"scanner": {
"status": "vulnerability_found",
"details": {
"file": "userController.js",
"type": "SQL Injection"
}
},
"fixer": {
"status": "patch_applied",
"diff": "parameterized_query_patch.diff"
},
"verifier": {
"status": "verified",
"test_results": "1 passed, 0 failed"
}
}

This final state can then be used to trigger a CI/CD pipeline or generate a developer notification.

Scaling Up: Multi-Agent Collaboration with LangGraph

For more complex systems, LangGraph or ReAct-based frameworks enable defining nodes as agents with memory and state transitions.

Example LangGraph-like pseudocode:

python

graph = AgentWorkflow()

graph.add_node(“scan”, scanner_agent)
graph.add_node(“fix”, fixer_agent)
graph.add_node(“verify”, verifier_agent)

graph.connect(“scan”, “fix”, condition=lambda output: “SQL Injection” in output)
graph.connect(“fix”, “verify”)
graph.connect(“verify”, “end”, condition=lambda result: result[“test_results”] == “pass”)

graph.run(codebase_path=“src/”)

This is a reusable security remediation pipeline—agentic, parallel, and iterative.

Benefits of Using Agentic AI for Secure Codebases

Agentic AI brings several advantages:

  • Automation: Reduces manual review cycles.

  • Parallelism: Multiple agents can act on different files or layers.

  • Autonomy: Agents can operate asynchronously and handle partial tasks.

  • Adaptability: Models adapt to new vulnerability classes via fine-tuning.

  • Explainability: LLM-based agents can explain fixes and detection logic.

Handling Advanced Security Scenarios

Agentic AI is also applicable to:

  • Cross-site Scripting (XSS) detection in React apps.

  • Cryptographic misuse (e.g., hardcoded secrets).

  • Insecure deserialization in Java or Python.

  • Supply chain attacks via package.json or requirements.txt.

These require agents with domain-specific knowledge, perhaps using GPT-4.5 or fine-tuned BERT/SAST transformers.

Real-World Integration with CI/CD

Agentic AI can be integrated into GitHub Actions or GitLab CI pipelines.

Example GitHub Action:

yaml

name: Secure Code Scan

on: [push]

jobs:
secure_scan:
runs-on: ubuntu-latest
steps:
uses: actions/checkout@v2
name: Run Scanner Agent
run: python scanner_agent.py
name: Run Fixer Agent
run: python fixer_agent.py
name: Run Verifier Agent
run: npm test

You can also deploy agents as microservices and trigger them using Kafka or HTTP webhooks.

Conclusion

Agentic AI represents a powerful new paradigm in the domain of software security automation. Instead of relying on monolithic tools or human-intensive review processes, agentic systems coordinate multiple specialized agents—each with distinct skills such as detection, remediation, and validation—to jointly secure codebases.

This multi-agent approach provides the following key benefits:

  • Scalability: Each agent can process part of the system concurrently, dramatically speeding up audits.

  • Accuracy: LLM-driven agents can detect subtle vulnerabilities using learned patterns that go beyond traditional regex or static rules.

  • Security by Design: By embedding fix and verification stages in the development lifecycle, organizations ensure secure coding becomes a continuous process.

  • Ecosystem Interoperability: Agents can integrate into existing pipelines, tools, and IDEs, making the adoption curve gentle.

  • Human-AI Collaboration: Developers can remain in the loop, reviewing patches and explanations while the agents handle the heavy lifting.

In a world where software is the backbone of nearly every industry—and attacks are increasingly automated—Agentic AI is not just a technological innovation. It’s a strategic necessity. By letting intelligent agents work together to find, fix, and verify vulnerabilities, we create software systems that are not only more secure, but also more resilient, auditable, and future-ready.