Google’s DeepMind has introduced a new AI powered agent, CodeMender. This tool, designed to autonomously detect and repair security vulnerabilities in software, aims to make it easier for software developers to reduce time spent on locating and patching vulnerabilities.
The announcement follows several other Google projects that use AI to manage software vulnerabilities. The company previously released The Big Sleep agent which became the first AI Agent to prevent a cyber-attack. It was able to identify and mitigate critical vulnerabilies in SQLite, before it could be exploited and before SQLite users could be impacted.
With CodeMender, DeepMind aims to close the gap between the growing pace of vulnerability discovery and the slower process of patching. They note that “As we achieve more breakthroughs in AI-powered vulnerability discovery, it will become increasingly difficult for humans alone to keep up.”
CodeMender uses the advanced reasoning abilities of the latest Gemini models to identify and repair complex vulnerabilities. The agent is equipped with powerful tools that allow it to analyze code before applying fixes, while automatically verifying that those changes are accurate and do not risk introducing new issues.
The agent is capable of reasoning about code (meaning it can understand and predict a program’s behavior without executing it) and validating its fixes through advanced program analysis and multi-agent systems. These include techniques such as static and dynamic analysis, fuzzing, differential testing, and SMT solvers to pinpoint the underlying causes of vulnerabilities and architectural weaknesses.
“We developed special-purpose agents that enable CodeMender to tackle specific aspects of an underlying problem. For example, CodeMender uses a large language model-based critique tool that highlights the differences between the original and modified code in order to verify that the proposed changes do not introduce regressions, and self-correct as needed,” DeepMind said.
Over the past six months, CodeMender has delivered 72 security fixes to open-source projects, including some with as much as 4.5 million lines of code.
The ambition for CodeMender is that it will be able to operate alongside and support human developers, not to replace them. By handling the time-consuming and high-risk tasks of patching vulnerabilities and proactively securing code, engineering teams can concentrate on their main priorities: creating innovative features and developing robust, scalable systems.
