Automating code security review: Mythos-level capabilities at lower cost
16 hours ago
- #AI Agents
- #Automated Security Reviews
- #Code Security
- Developed a multi-agent pipeline for automated code security reviews to handle increased code volumes efficiently.
- Focused on reducing false positives and variance by orienting agents deterministically and providing dedicated security context.
- Used Semgrep rules to identify entry points and Haiku subagents to map code flows from source to sink.
- Separated security context from code generation to avoid conflicting priors, using SECURITY.md files tailored to subsystems.
- Implemented a six-phase pipeline with parallel subagents for mapping, hunting, deduplication, validation, and aggregation.
- Emphasized cost-effectiveness with right-sized models per phase, achieving low cost per actionable finding.
- Integrated into CI as a non-blocking system, posting findings on PRs and planning post-merge patching with agent-generated fixes.
- Iterated based on benchmarking against a reference codebase, tracking cost, time, and findings without regressions.
- Advocated principles like deterministic attack surface mapping, narrow pipeline phases, and separate security context for replication.