pith. sign in

arxiv: 2501.18160 · v3 · pith:YAXXFRAXnew · submitted 2025-01-30 · 💻 cs.SE · cs.PL

RepoAudit: An Autonomous LLM-Agent for Repository-Level Code Auditing

classification 💻 cs.SE cs.PL
keywords repoauditcodeauditingbugsagentanalyzingautonomousdata-flow
0
0 comments X
read the original abstract

Code auditing is the process of reviewing code with the aim of identifying bugs. Large Language Models (LLMs) have demonstrated promising capabilities for this task without requiring compilation, while also supporting user-friendly customization. However, auditing a code repository with LLMs poses significant challenges: limited context windows and hallucinations can degrade the quality of bug reports, and analyzing large-scale repositories incurs substantial time and token costs, hindering efficiency and scalability. This work introduces an LLM-based agent, RepoAudit, designed to perform autonomous repository-level code auditing. Equipped with agent memory, RepoAudit explores the codebase on demand by analyzing data-flow facts along feasible program paths within individual functions. It further incorporates a validator module to mitigate hallucinations by verifying data-flow facts and checking the satisfiability of path conditions associated with potential bugs, thereby reducing false positives. RepoAudit detects 40 true bugs across 15 real-world benchmark projects with a precision of 78.43%, requiring on average only 0.44 hours and $2.54 per project. Also, it detects 185 new bugs in high-profile projects, among which 174 have been confirmed or fixed. We have open-sourced RepoAudit at https://github.com/PurCL/RepoAudit.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 12 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Refute-or-Promote: An Adversarial Stage-Gated Multi-Agent Review Methodology for High-Precision LLM-Assisted Defect Discovery

    cs.CR 2026-04 unverdicted novelty 7.0

    Refute-or-Promote applies adversarial multi-agent review with kill gates and empirical verification to filter LLM defect candidates, killing 79-83% before disclosure and yielding 4 CVEs plus multiple accepted fixes ac...

  2. An End-to-End Approach for Fixing Concurrency Bugs via SHB-Based Context Extractor

    cs.SE 2026-04 unverdicted novelty 7.0

    ConFixAgent repairs diverse concurrency bugs end-to-end by using Static Happens-Before graphs to extract relevant code context for LLMs, outperforming prior tools in benchmarks.

  3. Finding Memory Leaks in C/C++ Programs via Neuro-Symbolic Augmented Static Analysis

    cs.SE 2026-03 unverdicted novelty 7.0

    MemHint combines LLM classification of custom memory functions with Z3 path validation to augment CodeQL and Infer, detecting 52 memory leaks (49 confirmed) across 3.4M LOC versus 19 and 3 by vanilla tools.

  4. Antaeus: Hunting Repository-Level Logic Vulnerabilities via Context-Grounded LLM Reasoning

    cs.CR 2026-07 unverdicted novelty 6.0

    Antaeus detects 15 logic vulnerabilities across 28 repositories via a pipeline of function prioritization, repository-level LLM reasoning, and comparative validation, outperforming baselines at similar cost.

  5. Revelio: Cost-Efficient Agentic Memory Safety Vulnerability Detection For Repository-Scale Codebases

    cs.CR 2026-06 unverdicted novelty 6.0

    Revelio combines LLMs, static analysis, and sanitizer-verified PoVs to scalably discover memory safety vulnerabilities in repository-scale code, finding 19 new bugs in long-fuzzed projects at low cost.

  6. Veritas: A Semantically Grounded Agentic Framework for Memory Corruption Vulnerability Detection in Binaries

    cs.SE 2026-05 unverdicted novelty 6.0

    Veritas detects memory corruption vulnerabilities in stripped binaries by combining static value-flow slicing, dual-view LLM reasoning, and multi-agent runtime validation, reporting 90% recall, zero false positives on...

  7. Agentic Repository Mining: A Multi-Task Evaluation

    cs.SE 2026-05 unverdicted novelty 6.0

    LLM agents dynamically exploring repositories via bash commands achieve competitive accuracy to context-provided LLMs across four classification tasks, with superior robustness to artifact size.

  8. How Compliant Are GitHub Actions Workflows? A Checklist-Based Study with LLM-Assisted Auditing

    cs.SE 2026-05 accept novelty 6.0

    GitHub Actions workflows achieve only 28% overall compliance with best practices, with LLMs enabling an 81% reduction in verification effort via hybrid adjudication but still requiring expert oversight for security judgments.

  9. PrismaDV: Automated Task-Aware Data Unit Test Generation

    cs.LG 2026-04 unverdicted novelty 6.0

    PrismaDV generates task-aware data unit tests by jointly analyzing downstream code and dataset profiles, outperforming task-agnostic baselines on new benchmarks spanning 60 tasks, with SIFTA enabling automatic prompt ...

  10. BugScope: Learn to Find Bugs Like Human

    cs.SE 2025-07 conditional novelty 6.0

    BugScope structures LLM bug detection into three human-mirroring steps and distills guidelines from examples, reaching 0.87 F1 on 33 real bugs while outperforming Claude and Cursor tools and uncovering 184 new issues ...

  11. Evaluating LLMs for Real-World Web Vulnerability Detection

    cs.CR 2026-06 unverdicted novelty 5.0

    Frontier LLMs detect up to 63% of web vulnerabilities in WordPress plugins with scoped prompts outperforming open-ended ones, but all show low consistency across runs and miss some baseline issues.

  12. VulWeaver: Weaving Broken Semantics for Grounded Vulnerability Detection

    cs.SE 2026-04 unverdicted novelty 5.0

    VulWeaver improves Java vulnerability detection to 0.75 F1 by enhancing dependency graphs with LLM semantic fixes, extracting full context from slices plus implicit usage info, and applying type-specific meta-promptin...