LLM-Driven SAST Finding Triage
Taming the SAST Alert Fatigue
Vulnerability management is often a game of "finding the needle in the haystack." By leveraging Large Language Models, I developed a system that acts as a first-tier security analyst.
The Problem
Traditional SAST tools are notoriously noisy. Developers often ignore security warnings when they are bombarded with false positives, leading to "alert fatigue."
The AI Solution
The Triage Agent doesn't just look at the line of code; it analyzes:
- Data Flow: Is the input actually coming from a user-controlled source?
- Sink Reachability: Does the untrusted data reach a dangerous function?
- Existing Sanitization: Is there an existing middleware or library handling the validation?
Process Flow
- SonarQube generates findings.
- Triage Agent pulls findings and relevant source code.
- LLM evaluates the risk and provides a reasoning.
- Jira Ticket is automatically created and assigned only for confirmed high-risk issues.
Result
We achieved an accuracy rate of over 92% in identifying true positives, significantly improving our remediation efficiency and strengthening our relationship with the engineering teams.
The Context
After deploying SonarQube across 50+ repositories, the security team was overwhelmed with over 5,000 findings, many of which were low-risk or false positives.
The Approach
Built an AI-assisted triage agent that consumes findings via API, analyzes the surrounding code context and data flow, and assigns a 'Probability of Exploitability' score.
The Impact
Automated the triage of 85% of incoming SAST findings. Reduced the security team's manual triage effort from 20 hours/week to just 2 hours/week, allowing them to focus on complex, high-impact vulnerabilities.