README.md

July 2, 2025 Β· View on GitHub

Awesome AI (Machine Learning / Deep Learning) For DevSecOps

Awesome


Recently, the advancement of artificial intelligence (AI) has revolutionized automation in various software domains, including software security. AI-driven security approaches, particularly those leveraging machine learning or deep learning, hold promise in automating security workflows. They could reduce manual efforts, which can be integrated into DevOps to ensure uninterrupted delivery speed and align with the DevSecOps paradigm simultaneously.

We identified 12 security tasks associated with the DevSecOps process and reviewed current AI-driven security approaches. Through this analysis, we uncovered 15 challenges faced by these approaches and outlined potential opportunities for future research.

Paper Collection

πŸ¦‰ Comprehensive resources for our AI for DevSecOps survey, authored by Michael Fu, Jirat Pasuksmit, and Chakkrit Tantithamthavorn

πŸ‘©β€πŸ”§ Please let us know if you notice any mistakes or have any suggestions!

πŸš€ If you find this resource helpful, please consider to star this repository and cite our survey paper:

@article{fu2025ai,
  title={Ai for devsecops: A landscape and future opportunities},
  author={Fu, Michael and Pasuksmit, Jirat and Tantithamthavorn, Chakkrit},
  journal={ACM Transactions on Software Engineering and Methodology},
  volume={34},
  number={4},
  pages={1--61},
  year={2025},
  publisher={ACM New York, NY}
}

πŸ“’ News

  • πŸ“Œ [January-16-2025] Just Accepted Version available on ACM Digital Library πŸ“
  • πŸ“Œ [December-11-2024] Our paper has been accepted for publication in the ACM Transactions on Software Engineering and Methodology (TOSEM)!
  • πŸ“Œ [August-23-2024] First revision of our AI4DevSecOps survey is completed
  • πŸ“Œ [April-07-2024] Our AI4DevSecOps survey (v1) is available on arXiv πŸ“

🀝 Contributing to Awesome-AI4DevSecOps

We welcome contributions from the community!

If you have a valuable resource, tool, or idea related to AI for DevSecOps, please submit your PR using the following template.

πŸ”₯ This is a great opportunity to share and promote your work, research, or projects with a wider audience!

# Description: [Briefly describe your contribution, its purpose, and relevance.]

# Type of Contribution
- [ ] Research Paper
- [ ] Dataset
- [ ] Tool/Library
- [ ] Tutorial/Guide
- [ ] Other (please specify):

# Paper/Resource Link: [Provide the link here]

We will review and merge your contribution if it is appropriate and relevant to our project.

Thank you for helping us improve Awesome-AI4DevSecOps!


Paper Collection Paper Collection

Current Landscape of AI-Driven Security Appoaches in DevSecOps (Section 4 in our paper)

Plan Plan

  • Threat Modeling

    • No Relevant Publications Identified Using Our Defined Search Strategy
  • Impact Analysis

    • No Relevant Publications Identified Using Our Defined Search Strategy

Dev Development

  • Software Vulnerability Detection (SVD)
    • Recurrent Neural Network (RNN)
      • Automatic feature learning for predicting vulnerable software components (TSE, 2018) πŸ“
      • Automated vulnerability detection in source code using deep representation learning (ICMLA, 2018) πŸ“
      • Vuldeepecker: A deep learning-based system for vulnerability detection (NDSS, 2018) πŸ“
      • Vuldeelocator: a deep learning-based fine-grained vulnerability detector (TDSC, 2021) πŸ“
      • VUDENC: vulnerability detection with deep learning on a natural codebase for Python (IST, 2022) πŸ“
    • Text Convolutional Neural Network (TextCNN)
      • A software vulnerability detection method based on deep learning with complex network analysis and subgraph partition (IST, 2023) πŸ“
    • Graph Neural Network (GNN)
      • Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks (NeurIPS, 2019) πŸ“
      • Bgnn4vd: Constructing bidirectional graph neural-network for vulnerability detection (IST, 2021) πŸ“
      • Deep learning based vulnerability detection: Are we there yet (TSE, 2021) πŸ“
      • Vulnerability detection with fine-grained interpretations (FSE, 2021) πŸ“
      • LineVD: Statement-level vulnerability detection using graph neural networks (MSR, 2022) πŸ“
      • mVulPreter: A Multi-Granularity Vulnerability Detection System With Interpretations (TDSC, 2022) πŸ“
      • VulChecker: Graph-based Vulnerability Localization in Source Code (USENIX, 2022) πŸ“
      • CPVD: Cross Project Vulnerability Detection Based On Graph Attention Network And Domain Adaptation (TSE, 2023) πŸ“
      • DeepVD: Toward Class-Separation Features for Neural Network Vulnerability Detection (ICSE, 2023) πŸ“
      • Learning Program Semantics for Vulnerability Detection via Vulnerability-Specific Inter-procedural Slicing (FSE, 2023) πŸ“
      • SedSVD: Statement-level software vulnerability detection based on Relational Graph Convolutional Network with subgraph embedding (IST, 2023) πŸ“
    • Node2Vec
      • Enhancing Deep Learning-based Vulnerability Detection by Building Behavior Graph Model (ICSE, 2023) πŸ“
    • Pre-trained Code Language Model (CLM) (Transformers)
      • Linevul: A transformer-based line-level vulnerability prediction (MSR, 2022) πŸ“
      • Vulnerability Detection by Learning from Syntax-Based Execution Paths of Code (TSE, 2023) πŸ“
    • LM + GNN
      • VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements (SANER, 2022) πŸ“
      • Dataflow Analysis-Inspired Deep Learning for Efficient Vulnerability Detection (ICSE, 2023) πŸ“
Benchmarks used in evaluating AI-driven software vulnerability detection
BenchmarkYearGranularityProgramming LanguageReal-WorldSynthesis
Firefox2013FileC, C++βœ”
Android2014FileJavaβœ”
Draper2018FunctionC, C++βœ”βœ”
Vuldeepecker2018Code GadgetC, C++βœ”βœ”
Du et al.2019FunctionC, C++βœ”
Devign2019FunctionC, C++βœ”
FUNDED2020FunctionC, Java, Swift, PHPβœ”βœ”
Big-Vul2020Function/LineC, C++βœ”
Reveal2021FunctionC, C++βœ”
Cao et al.2021FunctionC, C++βœ”
D2A2021FunctionC, C++βœ”
Deepwukong2021FunctionC, C++βœ”βœ”
Vuldeelocator2021LineC, C++βœ”βœ”
VulCNN2022FunctionC, C++βœ”βœ”
VUDENC2022TokenPythonβœ”
DeepVD2023FunctionC, C++βœ”
VulChecker2023InstructionC, C++βœ”
  • Software Vulnerability Classification (SVC)
    • Machine Learning (ML)
      • Automation of vulnerability classification from its description using machine learning (ISCC, 2020) πŸ“
      • A machine learning approach to classify security patches into vulnerability types (CNS, 2020) πŸ“
    • RNN
      • Vuldeepecker: A deep learning-based system for vulnerability detection (NDSS, 2018) πŸ“
      • ΞΌVulDeePecker: A Deep Learning-Based System for Multiclass Vulnerability Detection (TDSC, 2019) πŸ“
    • Text Recurrent Convolutional Neural Network (TextRCNN)
      • DeKeDVer: A deep learning-based multi-type software vulnerability classification framework using vulnerability description and source code (IST, 2023) πŸ“
    • Vanilla Transformer
      • Towards Vulnerability Types Classification Using Pure Self-Attention: A Common Weakness Enumeration Based Approach (CSE, 2021) πŸ“
    • Pre-trained Language Model (LM) (Transformers)
      • V2w-bert: A framework for effective hierarchical multiclass classification of software vulnerabilities (DSAA, 2021) πŸ“
      • Prediction of Vulnerability Characteristics Based on Vulnerability Description and Prompt Learning (SANER, 2023) πŸ“
    • CLM
      • VulExplainer: A Transformer-based Hierarchical Distillation for Explaining Vulnerability Types (TSE, 2023) πŸ“
      • AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities (EMSE, 2023) πŸ“
    • CLM + RNN
      • Fine-grained commit-level vulnerability type prediction by CWE tree structure (ICSE, 2023) πŸ“
Benchmarks used in evaluating AI-driven software vulnerability classification
BenchmarkYearGranularityProgramming LanguageReal-WorldSynthesis
ΞΌVulDeePecker2019Code GadgetC, C++βœ”βœ”
TreeVul2023CommitC, C++, Java, and Pythonβœ”
  • Automated Vulnerability Repair (AVR)
    • ML
      • Sqlifix: Learning based approach to fix sql injection vulnerabilities in source code (SANER, 2021) πŸ“
    • CNN
      • Coconut: combining context-aware neural translation models using ensemble for program repair (ISSTA, 2020) πŸ“
    • RNN
      • Sequencer: Sequence-to-sequence learning for end-to-end program repair (TSE, 2019) πŸ“
      • A controlled experiment of different code representations for learning-based program repair (EMSE, 2022) πŸ“
    • Tree-based RNN
      • Dlfix: Context-based code transformation learning for automated program repair (ICSE, 2020) πŸ“
    • GNN
      • Hoppity: Learning graph transformations to detect and fix bugs in programs (ICLR, 2020) πŸ“
    • Vanilla Transformer
      • A syntax-guided edit decoder for neural program repair (FSE, 2021) πŸ“
      • Neural transfer learning for repairing security vulnerabilities in c code (TSE, 2022) πŸ“
      • Seqtrans: automatic vulnerability fix via sequence to sequence learning (TSE, 2022) πŸ“
      • Tare: Type-aware neural program repair (ICSE, 2023) πŸ“
    • CLM
      • Cure: Code-aware neural machine translation for automatic program repair (ICSE, 2021) πŸ“
      • Applying codebert for automated program repair of java simple bugs (MSR, 2021) πŸ“
      • Tfix: Learning to fix coding errors with a text-to-text transformer (PMLR, 2021) πŸ“
      • VulRepair: a T5-based automated software vulnerability repair (FSE, 2022) πŸ“
      • Improving automated program repair with domain adaptation (TOSEM, 2022) πŸ“
      • Vision Transformer-Inspired Automated Vulnerability Repair (TOSEM, 2023) πŸ“
      • Enhancing Code Language Models for Program Repair by Curricular Fine-tuning Framework (ICSME, 2023) πŸ“
      • Pre-trained model-based automated software vulnerability repair: How far are we? (TDSC, 2023) πŸ“
      • Examining zero-shot vulnerability repair with large language models (SP, 2023) πŸ“
      • Inferfix: End-to-end program repair with llms (FSE, 2023) πŸ“
      • Unifying Defect Prediction, Categorization, and Repair by Multi-Task Deep Learning (ASE, 2023) πŸ“
Benchmarks used in evaluating AI-driven just-in-time (JIT) automated program/vulnerability repair
BenchmarkYearProgramming LanguageReal-WorldSynthesis
Defects4J2014Javaβœ”
ManyBugs2015Cβœ”
BugAID2016JavaScriptβœ”
QuixBugs2017Java, Pythonβœ”
CodeFlaws2017Cβœ”
Bugs.jar2018Javaβœ”
SequenceR2019Javaβœ”
Bugs2Fix2019Javaβœ”
ManySStuBs4J2020Javaβœ”
Hoppity2020JavaScriptβœ”
CodeXGLUE2021Javaβœ”βœ”
TFix2021JavaScriptβœ”
VRepair2022C, C++βœ”
Namavar et al.2022JavaScriptβœ”
Pearce et al.2023C, C++βœ”βœ”
Function-SStuBs4J2023Javaβœ”
InferFix2023Java, C#βœ”
  • Security Tools in IDEs
    • LM-based Security Tool
      • AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities (EMSE, 2023) πŸ“

Commit Code Commit

  • Dependency Management

    • No Relevant Publications Identified Using Our Defined Search Strategy
  • CI/CD Secure Pipelines

    • ML
      • Improving missing issue-commit link recovery using positive and unlabeled data (ASE, 2017) πŸ“
      • MULTI: Multi-objective effort-aware just-in-time software defect prediction (IST, 2018) πŸ“
      • Class imbalance evolution and verification latency in just-in-time software defect prediction (ICSE, 2019) πŸ“
      • Fine-grained just-in-time defect prediction (JSS, 2019) πŸ“
      • Effort-aware semi-supervised just-in-time defect prediction (IST, 2020) πŸ“
      • Just-in-time defect identification and localization: A two-phase framework (TSE, 2020) πŸ“
      • Adapting bug prediction models to predict reverted commits at Wayfair (FSE, 2020) πŸ“
      • JITLine: A simpler, better, faster, finer-grained just-in-time defect prediction (MSR, 2021) πŸ“
      • Enhancing just-in-time defect prediction using change request-based metrics (SANER, 2021) πŸ“
    • Explainable AI (XAI) For ML
      • Pyexplainer: Explaining the predictions of just-in-time defect models (ASE, 2021) πŸ“
    • RNN
      • DeepLink: Recovering issue-commit links based on deep learning (JSS, 2019) πŸ“
      • Deeplinedp: Towards a deep learning approach for line-level defect prediction (TSE, 2022) πŸ“
    • Tree-based RNN
      • Lessons learned from using a deep tree-based model for software defect prediction in practice (MSR, 2019) πŸ“
    • Vanilla Transformer
      • Deep just-in-time defect localization (TSE, 2021) πŸ“
    • LM
      • BTLink: automatic link recovery between issues and commits based on pre-trained BERT model (EMSE, 2023) πŸ“
    • CLM
      • EALink: An Efficient and Accurate Pre-trained Framework for Issue-Commit Link Recovery (ASE, 2023) πŸ“
    • ML-based Just-In-Time (JIT) Software Defect Prediction (SDP) Tool
      • JITBot: an explainable just-in-time defect prediction bot (ASE, 2020) πŸ“
      • JITO: a tool for just-in-time defect identification and localization (FSE, 2020) πŸ“
    • ML-based Change Analysis Tool
      • Rex: Preventing bugs and misconfiguration in large services using correlated change analysis (USENIX, 2020) πŸ“
Benchmarks used in evaluating AI-driven just-in-time (JIT) software defect prediction
BenchmarkYearGranularityProgramming LanguageReal-WorldSynthesis
PROMISE2007CommitJavaβœ”
Kamei et al.2012CommitC, C++, Java, JavaScript, Perlβœ”
Qt & OpenStack2018Commit/LineC++, Pythonβœ”
Cabral et al.2019Commit/FileJava, JavaScript, Pythonβœ”
Yan et al.2020Commit/FileJavaβœ”
Wattanakriengkrai et al.2020CommitJavaβœ”
Suh2020Commit/FileJavaScript, PHPβœ”

Test Build, Test, and Deployment

  • Configuration Validation

    • ML
      • Tuning configuration of apache spark on public clouds by combining multi-objective optimization and performance prediction model (JSS, 2021) πŸ“
      • KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration (SANER, 2022) πŸ“
      • CoMSA: A Modeling-Driven Sampling Approach for Configuration Performance Testing (ASE, 2023) πŸ“
    • Feed-Forward Neural Network (FFNN)
      • DeepPerf: Performance prediction for configurable software with deep sparse neural network (ICSE, 2019) πŸ“
    • Generative Adversarial Network (GAN)
      • ACTGAN: automatic configuration tuning for software systems with generative adversarial networks (ASE, 2019) πŸ“
      • Perf-AL: Performance prediction for configurable software through adversarial learning (ESEM, 2020) πŸ“
  • Infrastructure Scanning

    • ML
      • Characterizing defective configuration scripts used for continuous deployment (ICST, 2018) πŸ“
      • Source code properties of defective infrastructure as code scripts (IST, 2019) πŸ“
      • Within-project defect prediction of infrastructure-as-code using product and process metrics (TSE, 2021) πŸ“
    • Word2Vec-CBOW (Continuous Bag of Words)
      • FindICI: Using machine learning to detect linguistic inconsistencies between code and natural language descriptions in infrastructure-as-code (EMSE, 2022) πŸ“
Benchmarks used in evaluating AI-driven infrastructure as code
BenchmarkYearReal-WorldSynthesis
Rahman and Williams2018βœ”
Rahman and Williams2019βœ”
Dalla et al.2021βœ”
Borovits et al.2022βœ”

Monitor Operation & Monitoring

  • Log Analysis & Anomaly Detection
    • ML
      • An anomaly detection system based on variable N-gram features and one-class SVM (IST, 2017) πŸ“
      • Anomaly detection and diagnosis for cloud services: Practical experiments and lessons learned (JSS, 2018) πŸ“
      • Adaptive performance anomaly detection in distributed systems using online svms (TDSC, 2018) πŸ“
      • Log-based anomaly detection with robust feature extraction and online learning (TIFS, 2021) πŸ“
      • Try with Simpler--An Evaluation of Improved Principal Component Analysis in Log-based Anomaly Detection (TOSEM, 2023) πŸ“
      • On the effectiveness of log representation for log-based anomaly detection (EMSE, 2023) πŸ“
    • RNN
      • Deeplog: Anomaly detection and diagnosis from system logs through deep learning (CCS, 2017) πŸ“
      • Robust log-based anomaly detection on unstable log data (FSE, 2019) πŸ“
      • Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs (IJCAI, 2019) πŸ“
      • Anomaly detection in operating system logs with deep learning-based sentiment analysis (TDSC, 2020) πŸ“
      • SwissLog: Robust anomaly detection and localization for interleaved unstructured logs (TDSC, 2022) πŸ“
      • DeepSyslog: Deep Anomaly Detection on Syslog Using Sentence Embedding and Metadata (TIFS, 2022) πŸ“
      • LogOnline: A Semi-Supervised Log-Based Anomaly Detector Aided with Online Learning Mechanism (ASE, 2023) πŸ“
      • On the effectiveness of log representation for log-based anomaly detection (EMSE, 2023) πŸ“
    • RNN-based AutoEncoder (AE)
      • Lifelong anomaly detection through unlearning (CCS, 2019) πŸ“
      • Recompose event sequences vs. predict next events: A novel anomaly detection approach for discrete event logs (CCS, 2021) πŸ“
    • GNN
      • LogGraph: Log Event Graph Learning Aided Robust Fine-Grained Anomaly Diagnosis (TDSC, 2023) πŸ“
    • Vanilla Transformer
      • Log-based anomaly detection without log parsing (ASE, 2021) πŸ“
    • XAI For Deep Learning (DL)
      • Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications (CCS, 2021) πŸ“
      • Towards an interpretable autoencoder: A decision-tree-based autoencoder and its application in anomaly detection (TDSC, 2022) πŸ“
    • Conditional Diffusion Model
      • Maat: Performance Metric Anomaly Anticipation for Cloud Services with Conditional Diffusion (ASE, 2023) πŸ“
Benchmarks used in evaluating AI-driven log analysis and anomaly detection
BenchmarkYearReal-WorldSynthesis
Yahoo! Webscope2006βœ”βœ”
BGL2007βœ”
HDFS2009βœ”
ADFA-LD2013βœ”
SDS2015βœ”
UNSW-NB152015βœ”
OpenStack2017βœ”
Microsoft2019βœ”
LogHub2020βœ”
Studiawan et al.2020βœ”
Yang et al.2023βœ”
  • Cyber-Physical Systems
    • ML
      • TABOR: A graphical model-based approach for anomaly detection in industrial control systems (CCS, 2018) πŸ“
      • Adaptive-Correlation-aware Unsupervised Deep Learning for Anomaly Detection in Cyber-physical Systems (TDSC, 2023) πŸ“
    • RNN + GNN
      • Digital Twin-based Anomaly Detection with Curriculum Learning in Cyber-physical Systems (TOSEM, 2023) πŸ“
    • GAN
      • Digital twin-based anomaly detection in cyber-physical systems (ICST, 2021) πŸ“
    • Variational AutoEncoder (VAE)
      • From Point-wise to Group-wise: A Fast and Accurate Microservice Trace Anomaly Detection Approach (FSE, 2023) πŸ“
    • Vanilla Transformer
      • Twin Graph-Based Anomaly Detection via Attentive Multi-Modal Learning for Microservice System (ASE, 2023) πŸ“
    • LM + RNN
      • KDDT: Knowledge Distillation-Empowered Digital Twin for Anomaly Detection (FSE, 2023) πŸ“
Benchmarks used in evaluating AI-driven log analysis and anomaly detection
BenchmarkYearReal-WorldSynthesis
Gas Pipeline Dataset2015βœ”
SWaT2016βœ”
WADI2017βœ”
BATADAL2018βœ”
MSDS2023βœ”

Identified 15 Challenges of AI-Driven Security Approach in DevSecOps (Section 5 in our paper)

DevOps StepIdentified Security TaskThemes of Challenges
PlanThreat Modeling-
Software Impact Analysis-
DevelopmentSoftware Vulnerability DetectionC1-1 - Data Imbalance
C4 - Cross Project
C5 - MBU Vulnerabilities
C6 - Data Quality
Software Vulnerability ClassificationC1-2 - Data Imbalance
C7 - Incompleted CWE Tree
Automated Vulnerability RepairC2-1 - Model Explainability
C8 - Sequence Length and Computing Resource
C9 - Loss of Pre-Trained Knowledge
C10 - Automated Repair on Real-World Scenarios
Security Tools in IDEsC3-1 - Lack of AI Security Tooling in IDEs
Code CommitCI/CD Secure PipelinesC2-2 - Model Explainability
C3-2 - Lack of AI Security Tooling in CI/CD
C11 - The Use of RNNs
Build, Test, and DeploymentConfiguration ValidationC12 - Complex Feature Space
Infrastructure ScanningC3-3 - Lack of AI Security Tooling for Infrastructure Scanning
C13 - Manual Feature Engineering
Operation and MonitoringLog Analysis and Anomaly DetectionC2-3 - Model Explainability
C14 - Normality Drift for Zero-Positive Anomaly Detection
Cyber-Physical SystemsC15 - Monitoring Multiple Cyber-Attacks Simultaneously

Identified 15 Research Directions of AI-Driven Security Approach in DevSecOps (Section 5 in our paper)

DevOps StepIdentified Security TaskResearch Opportunity
PlanThreat Modeling-
Software Impact Analysis-
DevelopmentSoftware Vulnerability DetectionR1-1 - Data augmentation and logit adjustment
R4 - Evaluate cross-project SVD with diverse CWE-IDs
R5 - Evaluate SVD on MBU vulnerabilities
R6 - Address data inaccuracy from automatic data collection.
Software Vulnerability ClassificationR1-2 - Meta-learning and LLMs
R7 - Develop advanced tree-based SVC
Automated Vulnerability RepairR2-1 - Evidence-based explainable AI (XAI)
R8 - Explore transformer variants that can process longer sequences
R9 - Explore different training paradigms during fine-tuning
R10 - Address limitations of LLMs
Security Tools in IDEsR3-1 - AI tool deployment and comprehensive tool evaluation
Code CommitCI/CD Secure PipelinesR2-2 - Explainable AI (XAI) for DL Models
R3-2 - AI tool deployment in CI/CD pipelines
R11 - Explore LMs and LLMs
Build, Test, and DeploymentConfiguration ValidationR12 - Explore transformers for tabular data
Infrastructure ScanningR3-3 - AI tool deployment and post-deployment evaluation
R13 - Explore DL-based techniques
Operation and MonitoringLog Analysis and Anomaly DetectionR2-3 - Explainable AI (XAI) for ML Models
R14 - Enhance normality drift detection
Cyber-Physical SystemsR15 - Distributed anomaly detection and multi-agent systems