MalCodeAI: Autonomous Vulnerability Detection and Remediation via Language Agnostic Code Reasoning

TL;DR

MalCodeAI is an AI-driven, language-agnostic system that autonomously detects and remediates software vulnerabilities across multiple programming languages, enhancing security with high accuracy and developer-friendly explanations.

Contribution

This paper introduces MalCodeAI, a novel multi-stage AI pipeline that combines code decomposition and semantic reasoning for autonomous vulnerability detection and remediation across 14 languages.

Findings

Achieved validation loss of 0.397 in code summarization phase.

Achieved validation loss of 0.199 in vulnerability detection and remediation.

High developer approval scores for usefulness and interpretability.

Abstract

The growing complexity of cyber threats and the limitations of traditional vulnerability detection tools necessitate novel approaches for securing software systems. We introduce MalCodeAI, a language-agnostic, multi-stage AI pipeline for autonomous code security analysis and remediation. MalCodeAI combines code decomposition and semantic reasoning using fine-tuned Qwen2.5-Coder-3B-Instruct models, optimized through Low-Rank Adaptation (LoRA) within the MLX framework, and delivers scalable, accurate results across 14 programming languages. In Phase 1, the model achieved a validation loss as low as 0.397 for functional decomposition and summarization of code segments after 200 iterations, 6 trainable layers, and a learning rate of 2 x 10^(-5). In Phase 2, for vulnerability detection and remediation, it achieved a best validation loss of 0.199 using the same number of iterations and trainable layers but with an increased learning rate of 4 x 10^(-5), effectively identifying security flaws and suggesting actionable fixes. MalCodeAI supports red-hat-style exploit tracing, CVSS-based risk scoring, and zero-shot generalization to detect complex, zero-day vulnerabilities. In a qualitative evaluation involving 15 developers, the system received high scores in usefulness (mean 8.06/10), interpretability (mean 7.40/10), and readability of outputs (mean 7.53/10), confirming its practical value in real-world development workflows. This work marks a significant advancement toward intelligent, explainable, and developer-centric software security solutions.