A new open-source security scanner called AgentGG is using AI agents to dramatically reduce the noise in code vulnerability detection, cutting false positives by 10 to 20 percent compared to traditional static analysis tools. Instead of handing developers long lists of potential issues to manually sort through, AgentGG's AI agents read the code, follow imports through the codebase, trace function calls, and confirm findings before reporting them.

The tool represents a shift in how security teams approach vulnerability scanning. For years, static analysis tools have worked by matching source code against known-bad patterns and patterns, then leaving engineers to triage the results. AgentGG flips that workflow by adding reasoning on top of pattern matching, which means fewer false alarms and more time spent on real security issues.

How Does AgentGG's AI Agent Approach Work?

AgentGG runs security checks through a series of phases, each designed to focus the analysis and reduce wasted effort. The process begins with a fast reconnaissance pass that surveys the entire project, building a brief on what the codebase does and how it's structured. This orientation step helps every agent that follows understand the context before diving into specific security checks.

After reconnaissance, agents run in parallel, each one a tool-enabled investigation that can follow imports and trace callers to confirm a finding before flagging it. An optional validation pass then re-reads the source code behind each finding, consulting a pentest scope document if one is provided, and labels it as confirmed, false-positive, out-of-scope, or uncertain. A final scoring pass attaches a CVSS severity rating, which is the standard severity scale used across the security industry.

• Reconnaissance Phase: Surveys the project to identify languages, frameworks, and dependencies, then uses this information to decide which agents are worth running.
• Parallel Agent Execution: Each agent investigates specific security patterns independently, following code imports and function calls to confirm findings before reporting them.
• Validation Pass: Re-reads source code behind each finding and labels it based on a security policy or pentest scope, reducing out-of-scope false positives.
• Severity Scoring: Attaches CVSS 3.1 severity ratings to each confirmed finding for prioritization.

The tool includes a resume feature, meaning if a scan is interrupted, it picks up where it left off without re-scanning unchanged files. This saves time on large codebases and makes repeated scans more efficient.

What Model Options Does AgentGG Support?

AgentGG works with multiple AI providers, giving teams flexibility in how they run scans. The supported options include Anthropic, OpenAI, Ollama, AWS Bedrock, and Google Vertex AI. For teams concerned about cost or data privacy, Ollama stands out as a local option that runs at no cost and keeps all scanning data on your own machine.

The choice of which model to use depends on the type of vulnerability being scanned. Philip Garabandic, a security engineer at TikTok and lead maintainer of AgentGG, explained the tradeoff between cost and accuracy.

"We are finding that some bug classes do well with cheaper models and some do much better with frontier models. For example, secret keys and SQL injection risks, even Ollama can find those. If you are scanning for more complex security bugs or business logic bugs, you want a better model," Garabandic said.

Philip Garabandic, Security Engineer at TikTok

This insight matters for teams building security automation. It means you don't need to pay for expensive cloud AI models for every scan. Simpler vulnerability classes can be caught reliably with free local models, while complex logic bugs might warrant a more capable model. The team is still researching how to optimize model selection for each bug class.

How Does AgentGG Reduce False Positives?

The validation phase is where AgentGG achieves its 10 to 20 percent reduction in false positives compared to tools like DeepSec. The key is that a second AI pass re-reads the source code for each finding and labels it based on context. If a pentest scope document is provided, the validator can mark findings that fall outside the engagement scope, preventing security teams from wasting time on out-of-scope issues.

Garabandic noted the measured impact of this approach: "We have done benchmarking against tools like DeepSec and we found more bugs and about 10-20% fewer false positives because we allow you to add pentest scope as part of the validation context." This combination of finding more real issues while cutting false alarms is what makes AgentGG stand out in a crowded field of security tools.

Garabandic

The official agent catalog goes through manual review before being released, similar to how Nuclei maintains its template repository. Agents that reach a user's machine come from that reviewed source, and users can also install custom agents in a separate directory. This two-tier approach balances security with flexibility.

How to Get Started with AgentGG

• Installation: Install AgentGG globally via npm with a single command; requires Node.js 20 or later.
• Configuration: Run a one-time setup wizard to write credentials to a config file, or use a one-shot flag for CI runs without saving credentials.
• First Scan: Run a scan on your codebase; the tool downloads over 100 official agents from the agentgg-agents repository on the first run.
• Results Review: Browse findings in a local web UI, filtered by severity, agent, or file; findings are stored as markdown files in an output directory.
• CI Integration: Run AgentGG inside GitHub Actions on pull requests, scoped to the code diff for faster feedback.

AgentGG is available for free on GitHub under the Apache 2.0 license, making it accessible to teams of any size. The tool's ability to work with local models via Ollama means organizations can run security scans without sending code to cloud services or incurring per-token API costs.

The emergence of AI-powered security tools like AgentGG reflects a broader shift in how teams approach vulnerability detection. Rather than treating security scanning as a pattern-matching problem, these tools use reasoning to understand code context and reduce noise. For security teams drowning in false positives from traditional scanners, that shift could mean more time spent fixing real issues and less time chasing ghosts.