Ensuring software security and maintaining highcode quality are critical challenges in modern software development. Traditional static analysis tools effectively identify knownvulnerability patterns but rely on rule-based detection, lackingcontextual understanding and producing high false-positive ratesthat burden developers. This paper proposes the Automated CodeQuality and Security Auditor (A-CQSA), a hybrid frameworkintegrating static analysis tools with Large Language Models(LLMs) to deliver context-aware, explainable code auditing. ACQSA introduces three novel contributions: (1) an LLM-basedfalse positive filtering pipeline that achieved a 40.3% reduction infalse positives across 15 evaluated repositories; (2) a CompositeSecurity Risk Scoring Engine that aggregates CVSS severity,CWE exploitability, code reachability, file exposure, and historicalfalse-positive propensity into a normalized 0–100 score; and(3) a Semantic Caching mechanism that reduced LLM APIlatency by 62% on repeated vulnerability patterns. Experimentalevaluation on open-source repositories demonstrates that ACQSA achieves a precision of 0.87, recall of 0.91, and F1-score of 0.89, outperforming standalone static analysis toolsand providing actionable remediation suggestions with developerfriendly explanations.
Singh et al. (Sun,) studied this question.