A Practical Framework for Security-Focused Static Code Review in CI/CD Pipelines

The increasing complexity of modern software systems and the widespread use of Continuous Integration and Continuous Deployment (CI/CD) pipelines have emphasized the need for intelligent and automated approaches to security-focused code reviews. Traditional static analysis tools often suffer from limited contextual understanding and high false positive rates, which reduce their effectiveness in real-world development environments. This thesis presents a practical AI-driven framework for security-focused static code review in CI/CD pipelines. The proposed system uses a reasoning model to perform static analysis across the code base, scanning each file and generating a structured JSON report containing all detected security issues. Each finding includes a detailed description, the vulnerable code snippet, and recommendations for mitigation. This work also introduces the usage of a coding agent, that applies a reasoning model to re-evaluate each issue in the full context of the code base. This agent classifies issues into true positives and false positives, and further categorizes true positives into bad design or exploitable vulnerabilities, also providing potential exploitation scenarios. By combining reasoning capabilities with static analysis, this framework enhances the accuracy, contextual awareness, and practical relevance of automated security reviews. Integrated within CI/CD pipelines, it offers developers a scalable and adaptive solution for continuous software security assurance.