Enhancing DevSecOps Through Large Language Model Integration: A Pipeline-Centric Approach
摘要
This paper explores research on Large Language Models (LLMs) integration into a DevSecOps pipeline for vulnerability detection in C/C++ code. We propose a two-stage model combining LLM-generated embeddings with a binary classifier trained to identify 18 Common Weakness Enumeration (CWE) categories. The model was deployed inside a GitHub Actions workflow, where it ran in parallel with standard SAST tools, analyzing code changes on a per-function basis. We conducted an empirical evaluation using over 500 labeled functions from two vulnerability datasets. Our results show that LLM-enhanced detection improves recall for complex vulnerabilities, outperforming traditional SAST tools in cases requiring higher-level reasoning. However, increased false-positive rates and computational costs introduce practical trade-offs. We discuss the implications of LLM integration in CI/CD environments, including pipeline optimization strategies, developer feedback mechanisms, and potential security risks associated with proprietary LLM models. This study contributes a framework for leveraging AI-driven security checks in modern DevSecOps pipelines, enhancing both security posture and developer efficiency.