Detecting Vulnerability-Inducing Commits via Multi-Stage Reasoning with LLM-Based Agents

📅 2026-07-06
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Accurately identifying vulnerable-introducing commits (VICs) is highly challenging, as it requires semantic reasoning over heterogeneous data such as code diffs, commit messages, and contextual information. This work proposes VIC-RAGENT, the first VIC detection framework based on multi-agent collaboration and multi-stage progressive reasoning. It employs specialized large language model agents to perform structural analysis, intent understanding, and vulnerability checking, which collaboratively reason across three stages: initial screening, refined analysis, and final judgment. The approach achieves both high precision and strong interpretability, outperforming the strongest baseline by 1.2–1.7× in F1 score on real-world datasets and demonstrating robust performance across multiple large language models.
📝 Abstract
Detecting vulnerability-inducing commits (VICs) at submission time is critical for improving the security and reliability of software systems. However, this task is highly challenging because it requires reasoning about the semantic impact of code changes from heterogeneous information sources, including code diffs, commit messages, and the surrounding contextual code. Existing approaches often struggle to fully capture these complex interactions, resulting in limited detection performance. In this paper, we propose VIC-RAGENT, an LLM-based multi-agent framework for effective and explainable vulnerability detection. VIC-RAGENT leverages multiple specialized agents to provide complementary perspectives, including structural analysis, intent understanding, and vulnerability inspection. To further improve detection reliability, the framework employs a multi-stage reasoning process that progressively refines candidate vulnerabilities through preliminary inspection, reanalysis, and a final decision stage. Experimental results on a real-world dataset across multiple LLMs demonstrate that VIC-RAGENT consistently outperforms baselines, including Direct, CoT, and CodeAgent. Compared to the strongest baseline, VIC-RAGENT achieves 1.2-1.7x higher F1-scores across different models. Overall, VIC-RAGENT offers a robust, explainable, and practical solution for detecting VICs in modern software development workflows.
Problem

Research questions and friction points this paper is trying to address.

vulnerability-inducing commits
code vulnerability detection
software security
commit analysis
semantic reasoning
Innovation

Methods, ideas, or system contributions that make the work stand out.

LLM-based multi-agent
multi-stage reasoning
vulnerability-inducing commits
explainable detection
code change analysis