This paper explores research on Large Language Models (LLMs) integration into a DevSecOps pipeline for vulnerability detection in C/C++ code. We propose a two-stage model combining LLM-generated embeddings with a binary classifier trained to identify 18 Common Weakness Enumeration (CWE) categories. The model was deployed inside a GitHub Actions workflow, where it ran in parallel with standard SAST tools, analyzing code changes on a per-function basis. We conducted an empirical evaluation using over 500 labeled functions from two vulnerability datasets. Our results show that LLM-enhanced detection improves recall for complex vulnerabilities, outperforming traditional SAST tools in cases requiring higher-level reasoning. However, increased false-positive rates and computational costs introduce practical trade-offs. We discuss the implications of LLM integration in CI/CD environments, including pipeline optimization strategies, developer feedback mechanisms, and potential security risks associated with proprietary LLM models. This study contributes a framework for leveraging AI-driven security checks in modern DevSecOps pipelines, enhancing both security posture and developer efficiency.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Enhancing DevSecOps Through Large Language Model Integration: A Pipeline-Centric Approach

  • Maciej Kisielewicz,
  • Paweł Kotzbach,
  • Michał Kędziora

摘要

This paper explores research on Large Language Models (LLMs) integration into a DevSecOps pipeline for vulnerability detection in C/C++ code. We propose a two-stage model combining LLM-generated embeddings with a binary classifier trained to identify 18 Common Weakness Enumeration (CWE) categories. The model was deployed inside a GitHub Actions workflow, where it ran in parallel with standard SAST tools, analyzing code changes on a per-function basis. We conducted an empirical evaluation using over 500 labeled functions from two vulnerability datasets. Our results show that LLM-enhanced detection improves recall for complex vulnerabilities, outperforming traditional SAST tools in cases requiring higher-level reasoning. However, increased false-positive rates and computational costs introduce practical trade-offs. We discuss the implications of LLM integration in CI/CD environments, including pipeline optimization strategies, developer feedback mechanisms, and potential security risks associated with proprietary LLM models. This study contributes a framework for leveraging AI-driven security checks in modern DevSecOps pipelines, enhancing both security posture and developer efficiency.