QASecClaw: A Multi-Agent LLM Approach for False Positive Reduction in Static Application Security Testing
Mohd Ruhul Ameen, Md Takrim Ul Alam, Akif Islam
TL;DR
QASecClaw enhances static application security testing by integrating multi-agent large language models, significantly reducing false positives and improving trustworthiness without sacrificing detection recall.
Contribution
It introduces a multi-agent LLM-based framework that effectively filters false positives in static security testing, outperforming traditional methods on OWASP Benchmark.
Findings
Achieved an F1 score of 90.93% on OWASP Benchmark.
Reduced false positives by 88.6%, from 560 to 64.
Maintained 96.9% recall despite filtering.
Abstract
Static Application Security Testing tools help developers find security vulnerabilities before release, but they often produce many false positives. This increases manual review effort, reduces developer trust, and may cause real vulnerabilities to be ignored among noisy reports. We present QASecClaw, a multi agent approach that combines conventional Static Application Security Testing with coding specialized Large Language Model based contextual code review. A SAST engine first reports candidate vulnerabilities, and a Large Language Model based SAST Filter Agent then reviews each finding with source code context to decide whether it is likely to be a true positive or a false positive. QASecClaw is coordinated by a Mission Orchestrator and includes specialized agents for test planning, security validation, evidence correlation, filtering, and reporting. We evaluate QASecClaw on OWASP…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.