Skip to content

[FEAT] Implement AI-assisted context analysis for false positive reduction #1719

Description

@S0412-2007

Summary

Integrate an LLM-powered context analysis engine into the SecuScan pipeline to automatically triage static analysis results, significantly reducing false positives and providing developers with actionable remediation context.

Problem

Currently, SecuScan relies strictly on AST (Abstract Syntax Tree) pattern matching and regex-based rules to detect vulnerabilities. While fast, this approach generates a high volume of false positives because it lacks semantic understanding of data flow and business logic. Developers are experiencing "alert fatigue," causing them to ignore critical vulnerabilities buried in the noise. We need a secondary validation layer that understands code context.

Proposed solution

Introduce a TriageEngine module that intercepts vulnerability findings before they are reported to the user.

Context Extraction: When a potential vulnerability is flagged (e.g., SQL Injection), the engine will extract the surrounding code context, variable definitions, and data flow paths.
Data Sanitization: Strip or mask any PII, secrets, or hardcoded credentials from the extracted code payload to ensure privacy before external processing.
LLM Evaluation: Send the sanitized context to an LLM provider (e.g., OpenAI API or local Ollama instance) with a strict prompt evaluating if the input is actually sanitized or if the execution path is reachable.
Confidence Scoring: Return a confidence score (0-100%) and a brief explanation. Findings below a certain threshold are suppressed or marked as "Likely False Positive".
UI Update: Display the AI confidence score and explanation in the SecuScan dashboard.

Suggested scope

backend/src/analysis/triage_engine.py (New module for AI triaging)
backend/src/integrations/llm_client.py (Abstraction layer for LLM API calls)
backend/src/utils/data_scrubber.py (Logic to mask secrets/PII before API calls)
backend/src/models/scan_report.py (Update schema to include ai_confidence and ai_explanation)
frontend/src/components/ScanResults/VulnerabilityCard.tsx (UI component to display AI verdict)

Acceptance criteria

[ ] TriageEngine successfully intercepts standard SAST findings before they hit the database.
[ ] data_scrubber.py correctly masks environment variables, API keys, and user emails in the code payload.
[ ] LLM client supports fallback (e.g., if OpenAI API fails, gracefully degrade to standard reporting without crashing the scan).
[ ] Database schema is migrated to store ai_confidence_score (float) and ai_reasoning (text).
[ ] Findings with a confidence score < 30% are automatically flagged as "Suppressed" in the dashboard.
[ ] Frontend displays a clear "AI Analysis" badge with a tooltip containing the LLM's reasoning.
[ ] Unit tests achieve >85% coverage for the new triage and scrubber modules.

Test plan

Unit Tests: Mock the LLM API responses (success, timeout, malformed JSON) and verify the engine handles all states gracefully.
Security Test: Run a scan on a test repo containing hardcoded AWS keys. Verify via network mocking that the keys are scrubbed before the payload is sent to the LLM endpoint.
Integration Test: Run SecuScan against a known vulnerable repository (e.g., OWASP Juice Shop codebase). Compare the number of reported vulnerabilities before and after the AI triage engine is enabled. Verify false positive reduction.
UI Test: Verify the "AI Analysis" badge and tooltip render correctly on both light and dark modes, and handle long text gracefully.

Alternatives considered

Custom Taint Analysis Engine: Instead of using an LLM, we considered building a traditional taint analysis engine that tracks data flow from source to sink.
Tradeoff: While highly accurate and deterministic, building and maintaining language-specific taint analysis (especially for complex frameworks) is extremely engineering-heavy and would drastically increase scan execution time.
Community-Driven Suppression Rules: Creating a shared repository of suppressions (similar to SonarQube's issue suppression) where users can upvote/downvote false positives.
Tradeoff: This pushes the burden of triage onto the community and requires a "cold start" period with a lot of manual noise before it becomes useful. It also doesn't adapt to proprietary code patterns unique to individual organizations.
Local/Private LLMs Only: Running an open-weights model (e.g., Llama 3 8B) locally via Ollama to avoid sending code externally.
Tradeoff: Maximizes privacy, but local models require significant hardware resources on the user's machine, slowing down the scan. The proposed hybrid approach (scrubbing data + allowing API configuration) balances performance and privacy better.

Additional context

Privacy & Compliance: Sending code context to third-party LLMs (like OpenAI) requires strict data sanitization. The data_scrubber.py module must be tested against standard PII and secret regex patterns. For enterprise users, a configuration flag (use_local_llm_only) should be exposed in settings to ensure SOC2/GDPR compliance if required.
Cost Management: LLM API calls will incur costs and add latency. We should implement a batch-processing mechanism where multiple findings from a single file are sent in one API request, rather than making a request per finding.
Architecture Flow Diagram: [SAST Engine] -> [Raw Findings] -> [Data Scrubber] -> [LLM Triage Engine] -> [Database/Report]
Future Scope: In a future iteration, we can use the LLM's confidence scores to fine-tune a smaller, faster local model specifically for SecuScan's codebase, reducing reliance on external APIs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:mediumImportant issue with normal urgencytype:featureFeature work category bonus label

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions