Current large language model (LLM)-driven static application security testing (SAST) approaches face significant challenges—including high false positive rates, hallucinations, shallow reasoning, and substantial computational overhead—primarily due to inadequate integration with conventional SAST tools, hindering their industrial adoption. This work proposes a novel LLM-centric SAST paradigm that introduces a multi-agent collaborative framework specifically designed for vulnerability detection. By deeply integrating end-to-end supply chain analysis, retrieval-augmented generation (RAG), and ReAct-based reasoning with mainstream SAST tools, the proposed method substantially improves true vulnerability detection rates while significantly reducing both false positives and runtime costs. The approach has already led to the discovery of multiple critical zero-day vulnerabilities assigned CVE identifiers.

Recent advancements in Large Language Models (LLMs) have sparked interest in their application to Static Application Security Testing (SAST), primarily due to their superior contextual reasoning capabilities compared to traditional symbolic or rule-based methods. However, existing LLM-based approaches typically attempt to replace human experts directly without integrating effectively with existing SAST tools. This lack of integration results in ineffectiveness, including high rates of false positives, hallucinations, limited reasoning depth, and excessive token usage, making them impractical for industrial deployment. To overcome these limitations, we present a paradigm shift that reorchestrates the SAST workflow from current LLM-assisted structure to a new LLM-centered workflow. We introduce Argus (Agentic and Retrieval-Augmented Guarding System), the first multi-agent framework designed specifically for vulnerability detection. Argus incorporates three key novelties: comprehensive supply chain analysis, collaborative multi-agent workflows, and the integration of state-of-the-art techniques such as Retrieval-Augmented Generation (RAG) and ReAct to minimize hallucinations and enhance reasoning. Extensive empirical evaluation demonstrates that Argus significantly outperforms existing methods by detecting a higher volume of true vulnerabilities while simultaneously reducing false positives and operational costs. Notably, Argus has identified several critical zero-day vulnerabilities with CVE assignments.