Abstract
Modern software development pipelines face growing challenges in securing large codebases with extensive dependencies. Static analysis tools like Bandit are effective at vulnerability detection but suffer from high false positives and lack repair capabilities. Large Language Models (LLMs), in contrast, can suggest fixes but often hallucinate changes and lack self-validation. We present SecureFixAgent, a hybrid repair framework integrating Bandit with lightweight local LLMs (<8B parameters) in an iterative detect-repair-validate loop. To improve precision, we apply parameter-efficient LoRA-based fine-tuning on a diverse, curated dataset spanning multiple Python project domains, mitigating dataset bias and reducing unnecessary edits. SecureFixAgent uses Bandit for detection, the LLM for candidate fixes with explanations, and Bandit re-validation for verification, all executed locally to preserve privacy and reduce cloud reliance. Experiments show SecureFixAgent reduces false positives by 10.8% over static analysis, improves fix accuracy by 13.51%, and lowers false positives by 5.46% compared to pre-trained LLMs, typically converging within three iterations. Beyond metrics, developer studies rate explanation quality 4.5/5, highlighting its value for human trust and adoption. By combining verifiable security improvements with transparent rationale in a resource-efficient local framework, SecureFixAgent advances trustworthy, automated vulnerability remediation for modern pipelines.
Related Work
Static analyzers (e.g., Bandit) offer precise rule-based detection but lack automated remediation and can yield high false positives. LLM-based repair proposes fixes but often lacks verification and privacy guarantees. Prior systems (e.g., APR tools, Copilot) rarely couple repair with rigorous validation loops or local, privacy-preserving deployment—gaps that SecureFixAgent addresses by fusing Bandit with local LLMs and enforceable re-validation.
Methodology
The pipeline: (1) Bandit flags vulnerabilities; (2) a local LLM validates and proposes minimal patches with explanations; (3) Bandit re-validates; (4) iterate until convergence or limit. Models (≤8B) are quantized for on-prem deployment; LoRA fine-tuning on curated vulnerable/fixed pairs reduces unnecessary edits and improves patch fidelity. Structured prompts yield parseable outputs for CI/CD.
Results
Across synthetic and real CVE datasets, SecureFixAgent reduces false positives by 10.8% over static analysis and improves fix accuracy by 13.51% over pre-trained LLMs, converging in ~3 iterations on average. Developer evaluations highlight high explanation quality (4.5/5), supporting human trust and adoption in pipelines.