Agentic SAST

​

Agentic SAST vs Deterministic SAST

Agentic SAST is a separate agentic capability that runs independently from deterministic SAST. It’s like PR Review Agent but for full repository analysis, with Repository Memory and Vuln Context components: Deterministic SAST: Finds known vulnerability patterns quickly → False Positive Elimination filters results

---

​

Agentic SAST Components

Agentic SAST consists of two key components:

​

Repository Memory

Maintains a persistent understanding of your codebase structure, patterns, and relationships across scans. This enables the agent to:

• Remember architectural decisions and patterns
• Track how components interact over time
• Learn from previous analysis cycles
• Provide consistent analysis across scans

​

Vuln Context

Analyzes vulnerability context by understanding:

• How vulnerabilities relate to your specific application architecture
• Historical context of similar issues in your codebase
• Business logic implications of security findings
• Cross-file relationships and dependencies

These components work together to provide deep, contextual security analysis that traditional tools cannot match.

---

---

​

CodeThreat-Hive Framework

CodeThreat-Hive is the AI framework that powers agentic analysis. Repository Mapping: Creates a complete understanding of application structure before analyzing individual files. Graph-Based Analysis: Builds dataflow and control flow graphs as the source of truth for understanding how your application executes. Contextual Memory: Carries context throughout the analysis, enabling agents to understand how components interact and where security issues exist. Self-Reflective Agents: AI agents evaluate their own reasoning to maintain analysis depth while optimizing efficiency.

---

​

Language Support

CodeThreat uses tree-sitter to parse code and create grammars for target languages. This enables accurate syntax analysis across different programming languages.

---

​

Next Steps