AI coding assistants are increasingly used in software development, but the code they produce requires rigorous security review. Existing static application security testing (SAST) tools often lack the project-level context needed to reason about distributed applications, authentication flows, and cross-file vulnerabilities. This paper presents SecureAgent, a multi-agent LLM framework designed for evidence-grounded vulnerability detection and patch recommendation. SecureAgent separates the review process into coordinated specialized agents: repository indexing, static scanning, dependency analysis, semantic review, data-flow tracing, exploitability validation, patch drafting, and human review. Unlike single-prompt code assistants, SecureAgent requires every reported vulnerability to be tied to specific source locations, a CWE category, an OWASP Top 10 risk category, and a validation status. The framework treats LLM responses as hypotheses, not findings, until they are supported by deterministic evidence. The paper defines the system's architecture, threat model, trust boundaries, inter-agent communication format, evidence schema, context-selection policy, and evaluation plan. While this work presents the design and prototype specification rather than completed benchmark results, it establishes a reproducible methodology for comparing AI-assisted security frameworks against traditional SAST tools, dependency scanners, and single-agent LLM review using public benchmarks (OWASP Benchmark, Juliet) and CVE-linked repositories. The core contribution is an auditable, constraint-driven design that prioritizes verification over autonomous action, aiming to make AI-assisted security review more reliable and transparent.
S Nishad (Sat,) studied this question.