In the modern era of ubiquitous and highly interconnected information technology, cybersecurity threats stemming from software code vulnerabilities have become increasingly severe, posing significant risks to the confidentiality, integrity, and availability of modern information systems. To enhance software code quality, enterprises often integrate static code analysis tools into Continuous Integration (CI) pipelines. However, the high rates of false positives and false negatives remain a challenge. The advent of large language models (LLMs), such as ChatGPT, presents a new opportunity to address these challenges. In this paper, we propose AI-SCDF, a framework that utilizes the custom-built Nebula-Coder AI model for detecting and fixing code security issues in real time during the developer’s personal build process. We construct a static code checking rule knowledge base through summarizing and classifying Common Weakness Enumeration (CWE) code security problems identified by security and quality assurance teams. The rule knowledge base is combined with CodeFuse-processed code contexts to serve as input for an AI code security detection microservice, which assists in identifying code quality and security issues. If any abnormalities are detected, they are addressed by an AI code security patching microservice, which alerts the developer and requests confirmation before committing the code into the repository. Experimental results show that our approach effectively improves code quality. We also develop a VSCode plugin for code alert detection and fix based on LLMs, which facilitates test shift-left and lowers the risk of software development.
