Haining Fan1, Lijie Zheng1, Chenhao Han1, Ji He1,*, and Chunlin He2
Ji He
1School of Computer Science and Technology, Xidian University, Xi’an, Shaanxi, 710071, China
2Chaoyue Technology Co., Ltd., Shandong Province Key Laboratory of Independent and Reliable Computing Technology and Equipment, Jinan, 250104, China
*Corresponding author
This paper presents a multi-agent DevSecOps framework that integrates static code scanning, large language model (LLM) based security reasoning, automated repair generation, policy-as-code enforcement, and runtime monitoring into a unified event-driven pipeline. Five specialized agents collaborate through LangGraph shared state graphs: a Code Security Agent combining Semgrep rule matching with LLM contextual review, a Fix Agent generating reviewable candidate patches, a Policy Agent producing OPA Rego and Kubernetes NetworkPolicy files, and an Enforcement Agent operating in both CI gate and runtime response modes. Evaluation on a test application containing 50 planted vulnerabilities across Python code and infrastructure-as-code demonstrates that the combined Semgrep+LLM detection achieves 92.0% recall (F1=95.8%), compared to 34.0% for Semgrep alone, with zero false positives under the manually labeled test oracle. The Fix Agent commits candidate patches for 98.4% of detected vulnerabilities at an average of 35.5 seconds each. The Enforcement Agent correctly blocks non-compliant configurations and completes CI gate decisions in under 34 seconds. Runtime monitoring detects injection attacks, brute-force attempts, and unauthorized access with risk-proportional automated response within 42 seconds.
DevSecOps, multi-agent systems, vulnerability detection, auto-remediation, Security as Code, large language models
Haining Fan, Lijie Zheng, Chenhao Han, Ji He, and Chunlin He (2026). A Multi-Agent DevSecOps Framework for Intelligent Vulnerability Detection and Auto-Remediation. Journal of Networking and Network Applications, Volume 6, Issue 2, pp. 55–66. https://doi.org/10.33969/J-NaNA.2026.060202.
[1] H. Myrbakken and R. Colomo-Palacios, “Devsecops: A multivocal literature review,” in Proceedings of the International Conference on Software Process Improvement and Capability Determination (SPICE 2017). Springer, 2017, pp. 17–29.
[2] HashiCorp, “What is infrastructure as code,” https://www.hashicorp. com/resources/what-is-infrastructure-as-code, 2022.
[3] L. Prates and R. Pereira, “Devsecops practices and tools,” International Journal of Information Security, vol. 24, no. 1, p. 11, 2025.
[4] M. S´anchez-Gord´on and R. Colomo-Palacios, “Security as culture: A systematic literature review of devsecops,” in Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops (ICSE 2020 Workshops). IEEE/ACM, 2020, pp. 266–269.
[5] N. K. K. Reddy Yelkoti, “Security as code: An architectural framework for automated risk mitigation in devsecops pipelines,” Journal of Computer Science and Technology Studies, vol. 7, no. 6, pp. 235–244, 2025. [Online]. Available: https://al-kindipublisher.com/index.php/jcsts/article/view/9959
[6] O. Vakhula and I. Opirskyy, “Ai-driven security as code for software development using multi-agent systems,” in Proceedings of the Fourth International Conference on Cyber Hygiene and Conflict Management in Global Information Networks (CH&CMiGIN’25), ser. CEUR Workshop Proceedings, vol. 4024, 2025, pp. 129–138. [Online]. Available: https://ceur-ws.org/Vol-4024/paper13.pdf
[7] National Institute of Standards and Technology (NIST), “Devsecops,” https://csrc.nist.gov/projects/devsecops, accessed: 2026-05-25.
[8] Semgrep, Inc., “Semgrep,” https://semgrep.dev, 2020, open-source static analysis tool, source code: https://github.com/semgrep/semgrep.
[9] GitHub Security Lab, “Codeql: Github’s semantic code analy-sis engine,” https://codeql.github.com/, 2019, blog announcement: https://github.blog/2019-11-14-security-lab/.
[10] Open Policy Agent, “Open policy agent (opa),” https://www. openpolicyagent.org/, 2023.
[11] H. Xu, S. Wang, N. Li, K. Wang, Y. Zhao, K. Chen, T. Yu, Y. Liu, and H. Wang, “Large language models for cyber security: A systematic literature review,” 2024. [Online]. Available: https: //arxiv.org/abs/2405.04760
[12] J. Bae, S. Kwon, and S. Myeong, “Enhancing software code vulnera-bility detection using gpt-4o and claude-3.5 sonnet: A study on prompt engineering techniques,” Electronics, vol. 13, no. 13, p. 2657, 2024.
[13] J. Zhang, C. Wang, A. Li, W. Wang, T. Li, and Y. Liu, “Vuladvisor: Natural language suggestion generation for software vulnerability re-pair,” in Proceedings of the IEEE/ACM 39th International Conference on Automated Software Engineering (ASE 2024), 2024, pp. 1932–1944.
[14] Y. Charalambous, N. Tihanyi, R. Jain, Y. Sun, M. A. Ferrag, and L. C. Cordeiro, “A new era in software security: Towards self-healing software via large language models and formal verification,” 2023.[Online]. Available: https://arxiv.org/abs/2305.14752
[15] J. Gong, N. Duan, Z. Tao, Z. Gong, Y. Yuan, and M. Huang, “How well do large language models serve as end-to-end secure code agents for python?” 2024. [Online]. Available: https://arxiv.org/abs/2408.10495
[16] C. Qian, X. Cong, W. Liu, C. Yang, W. Chen, Y. Su, Y. Dang, J. Li, J. Xu, D. Li, Z. Liu, and M. Sun, “Chatdev: Communicative agents for software development,” 2023. [Online]. Available: https: //arxiv.org/abs/2307.07924
[17] S. Hong, M. Zhuge, J. Chen, X. Zheng, Y. Cheng, C. Zhang, J. Wang, Z. Wang, S. K. S. Yau, Z. Lin, L. Zhou, C. Ran, L. Xiao, C. Wu, and J. Schmidhuber, “Metagpt: Meta programming for multi-agent collaborative framework,” 2023. [Online]. Available: https://arxiv.org/abs/2308.00352
[18] Q. Wu, G. Bansal, J. Zhang, Y. Wu, S. Zhang, E. Zhu, B. Li, L. Jiang, X. Zhang, and C. Wang, “Autogen: Enabling next-gen llm applications via multi-agent conversation framework,” 2023. [Online]. Available: https://arxiv.org/abs/2308.08155
[19] D. Kassimi, O. Kazar, H. Saouli, and O. Boussaid, “Design and implementation of a new approach using multi-agent system for security in big data,” International Journal of Software Engineering and Its Applications, vol. 11, no. 9, pp. 1–14, 2017.
[20] W. Chen, Y. Su, J. Zuo, C. Yang, C. Yuan, C. Qian, C.-M. Chan, Y. Qin, Y. Lu, R. Xie et al., “AgentVerse: Facilitating multi-agent col-laboration and exploring emergent behaviors in agents,” arXiv preprint arXiv:2308.10848, 2023.
[21] LangChain, Inc., “Langgraph: Build resilient language agents as graphs,” https://github.com/langchain-ai/langgraph, 2024, accessed: 2025-03-15.
[22] W. Charoenwet, P. Thongtanunam, V.-T. Pham, and C. Treude, “An empirical study of static analysis tools for secure code review,” in Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 2024, pp. 691–703.
[23] X.-C. Wen, C. Gao, S. Gao, Y. Xiao, and M. R. Lyu, “Scale: Construct-ing structured natural language comment trees for software vulnerability detection,” in Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2024, pp. 235–247.
[24] X. Du, M. Wen, J. Zhu, Z. Xie, B. Ji, H. Liu, X. Shi, and H. Jin, “Generalization-enhanced code vulnerability detection via multi-task in-struction fine-tuning,” in Findings of the Association for Computational Linguistics: ACL 2024. ACL, 2024, pp. 10 507–10 521.
[25] A. Zibaeirad and M. Vieira, “Diverse LLMs vs. vulnerabilities: Who detects and fixes them better?” arXiv preprint arXiv:2512.12536, 2025.
[26] K. Li, J. Zhang, S. Chen, H. Liu, Y. Liu, and Y. Chen, “Patchfinder: A two-phase approach to security patch tracing for disclosed vulnerabilities in open-source software,” in Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2024, pp. 590–602.
[27] R. Kumar and R. Goyal, “Modeling continuous security: A conceptual model for automated devsecops using open-source software over cloud (adoc),” Computers & Security, vol. 97, p. 101967, 2020.
[28] O. B. Abiola and O. G. Olufemi, “An enhanced ci/cd pipeline: A devsecops approach,” International Journal of Computer Applications, vol. 184, no. 48, pp. 8–13, 2023.
[29] V. Gupta and D. Sreenivasamurthy, “Prose2policy (P2P): A practical LLM pipeline for translating natural-language access policies into exe-cutable Rego,” arXiv preprint arXiv:2603.15799, 2026.
[30] I. H. Sarker, M. H. Furhad, and R. Nowrozy, “Ai-driven cybersecurity: An overview, security intelligence modeling and research directions,” SN Computer Science, vol. 2, no. 3, p. 173, 2021.
[31] S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y. Cao, “React: Synergizing reasoning and acting in language models,” in The Eleventh International Conference on Learning Representations, 2023.[Online]. Available: https://openreview.net/forum?id=WE vluYUL-X
[32] Elastic. (2023) Elastic stack documentation. Logging, metrics, and monitoring documentation. [Online]. Available: https://www.elastic.co/docs
[33] OWASP Foundation, “Owasp top ten web application security risks,” https://owasp.org/www-project-top-ten/, 2021.