VulnAgent-X: A Layered Agentic Framework for Repository-Level Vulnerability Detection

TL;DR

VulnAgent-X introduces a layered, evidence-driven framework for repository-level vulnerability detection that outperforms existing static and encoder-based methods by improving accuracy, reducing false positives, and providing interpretable results.

Contribution

The paper presents VulnAgent-X, a novel layered agentic framework that enhances vulnerability detection through staged analysis, evidence fusion, and dynamic verification in repository contexts.

Findings

Outperforms static and encoder-based baselines

Reduces false positives in vulnerability detection

Provides interpretable, repository-level security analysis

Abstract

Software vulnerability detection is critical in software en- gineering as security flaws arise from complex interactions across code structure, repository context, and runtime conditions. Existing meth- ods are limited by local code views, one-shot prediction, and insuffi- cient validation, reducing reliability in realistic repository-level settings. This study proposes VulnAgentX, a layered agentic framework integrat- ing lightweight risk screening, bounded context expansion, specialised analysis agents, selective dynamic verification, and evidence fusion into a unified pipeline. Experiments on function-level and just-in-time vul- nerability benchmarks show VulnAgent-X outperforms static baselines, encoder-based models, and simpler agentic variants, with better local- isation and balanced performance-cost trade-offs. Treating vulnerabil- ity detection as a staged, evidence-driven auditing process improves de- tection quality, reduces false positives, and produces interpretable re- sults for repository-level software security analysis. Code is available at https://github.com/xiaolu-666113/Vlun-Agent-X.