From Bugs to Breaches: How Agentic AI Protects the Software Supply Chain
DOI:
https://doi.org/10.63282/3050-9246/ICRTCSIT-108Keywords:
Agentic Artificial Intelligence (AI), Software Security, DevSecOps, Supply Chain Security, Secure Software Development Lifecycle (SDLC), Autonomous Agents, Large Language Models (LLMs), Vulnerability Detection, Code Remediation, Multi-Agent Systems, Secure-by-Design, Open Source Software (OSS) Security, Threat Intelligence Automation, AI-Driven Security, Cybersecurity AutomationAbstract
Modern software supply chains have become highly sophisticated, prospecting vulnerabilities at all points of the development and deployment lifecycle. From CI/CD pipelines to open-source components, security incidents frequently stem less from insufficient information than from inability to respond quickly and discerningly. Advances in Agentic Artificial Intelligence (AI) like autonomous reasoning, planning, and acting systems are transforming the ways in which software supply chains can be made more secure. Differing from passive anomaly discovery approaches using traditional machine learning, agentic AI systems actively discern, rank, and correct threats at the code, dependencies, and infrastructure configuration levels. This paper provides a systematic review of new Research and industry practice applying agentic AI to software protection. The paper explores primary uses for agentic AI in secure code analysis, open-source risk management, and incident response autonomy, while underscoring the technological, ethical, and governing troubles intrinsic to autonomy within security frameworks. Lastly, the paper sketches out future directions and outlines a conceptual roadmap for infusing agentic AI into DevSecOps ecosystems for the realization of proactive, resilient, self-healing, and robust protection for software
Downloads
References
[1] CISA, “Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise,” U.S. Cybersecurity and Infrastructure Security Agency, Dec. 2020. [Link]
[2] R. Hiesgen, M. Nawrocki, T. C. Schmidt, and M. Wählisch, “The Race to the Vulnerable: Measuring the Log4j Shell Incident,” arXiv preprint arXiv:2205.02544, 2022. [Link]
[3] P. Przymus and T. Durieux, “Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack,” arXiv preprint arXiv:2504.17473, 2025. [Link]
[4] R. Sapkota, K. Roumeliotis, and M. Karkee, “AI Agents vs. Agentic AI: A Conceptual Taxonomy, Applications and Challenges,” arXiv preprint arXiv:2505.10468, 2025. [Link]
[5] S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y. Cao, “ReAct: Synergizing Reasoning and Acting in Language Models,” in Proc. ICLR 2023, 2023. [Link]
[6] M. Wheatley, “Google Cloud bolsters cybersecurity with generative AI model Sec-PaLM,” SiliconANGLE, Apr. 2023. [Link]
[7] Microsoft, “Microsoft Copilot for Security is generally available on April 1, 2024, with new capabilities,” Microsoft Blog, Mar. 2024. [Link]
[8] GitHub, “GitHub for Beginners: Security best practices with GitHub Copilot,” GitHub Blog, 2024. [Link]
[9] Y. Lyu, H. Kang, R. Widyasari, J. Lawall, D. Lo, “Evaluating SZZ Implementations: An Empirical Study on the Linux Kernel,” arXiv preprint arXiv:2308.05060, 2023.. [Link]
[10] M. Esposito, V. Falaschi, and D. Falessi, “An Extensive Comparison of Static Application Security Testing Tools,” arXiv preprint arXiv:2403.09219, 2024. [Link]
[11] L. Zhao, S. Chen, Z. Xu, C. Liu, L. Zhang, J. Wu, J. Sun, and Y. Liu, “Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects,” in Proc. ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’23), 2023, 13 pp. [Link]
[12] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman , “Survey of intrusion detection systems: techniques, datasets and challenges,” Cybersecurity, vol. 2, no. 1, 2019, Art. 20. [Link]
[13] S. B. Chafjiri, et al., “Vulnerability detection through machine learning-based fuzzing: A systematic review,” Computers & Security, 2024. [Link]
[14] Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong, “VulDeePecker: A Deep Learning-Based System for Vulnerability Detection,” in Proc. NDSS, 2018. [Link]
[15] Z. Hu, R. Beuran, and Y. Tan, “Automated Penetration Testing Using Deep Reinforcement Learning,” in Proceedings of the IEEE European Symposium on Security and Privacy Workshops (EuroS&P Workshops), 2020. [Link]
[16] G. Palmer et al., “Deep Reinforcement Learning for Autonomous Cyber Defence: A Survey,” arXiv preprint arXiv:2310.07745, 2023. [Link]
[17] Y. Sun, D. Wu, Y. Xue, H. Liu, W. Ma, L. Zhang, Y. Liu, and Y. Li, “LLM4Vuln: A Unified Evaluation Framework for Decoupling and Enhancing LLMs’ Vulnerability Reasoning,” arXiv preprint arXiv:2401.16185, 2025. [Link]
[18] N. Rani and S. K. Shukla , AURA: A Multi-Agent Intelligence Framework for Knowledge-Enhanced Cyber Threat Attribution”, arXiv preprint arXiv:2506.10175, 2025. [Link]
[19] Thirunagalingam, A. (2024). AI-Powered Continuous Data Quality Improvement: Techniques, Benefits, and Case Studies. Benefits, and Case Studies (August 23, 2024).
[20] L. N. R. Mudunuri, V. M. Aragani, and P. K. Maroju, "Enhancing Cybersecurity in Banking: Best Practices and Solutions for Securing the Digital Supply Chain," Journal of Computational Analysis and Applications, vol. 33, no. 8, pp. 929-936, Sep. 2024.
[21] Mr. Anil Kumar Vadlamudi Venkata SK Settibathini, Dr. Sukhwinder Dr. Sudha Kiran Kumar Gatala, Dr. Tirupathi Rao Bammidi, Dr. Ravi Kumar Batchu. Navigating the Next Wave with Innovations in Distributed Ledger Frameworks. International Journal of Critical Infrastructures, PP 28, 2024. https://www.inderscience.com/info/ingeneral/forthcoming.php?jcode=ijcis
[22] Sehrawat, S. K., Dutta, P. K., Bhatia, A. B., & Whig, P. (2024). Predicting Demand in Supply Chain Networks With Quantum Machine Learning Approach. In A. Hassan, P. Bhattacharya, P. Dutta, J. Verma, & N. Kundu (Eds.), Quantum Computing and Supply Chain Management: A New Era of Optimization (pp. 33-47). IGI Global Scientific Publishing. https://doi.org/10.4018/979-8-3693-4107-0.ch002
[23] Mohanarajesh, Kommineni (2024). Generative Models with Privacy Guarantees: Enhancing Data Utility while Minimizing Risk of Sensitive Data Exposure. International Journal of Intelligent Systems and Applications in Engineering 12 (23):1036-1044.
