An AI vulnerability scanner can be useful, but the phrase hides two very different products. A scanner finds patterns and ranks possible issues. An agent audit investigates whether those issues are reachable, exploitable, duplicated, or false. Tangle Code Auditor is being built toward the second model.
The planned product surface is audit.tangle.tools; public pages should treat it as upcoming until the domain is live.
Scanner Vs Agent Audit
| Capability | Scanner | Agent audit |
|---|---|---|
| pattern detection | strong | uses scanner output |
| repository context | limited | inspects call paths and config |
| command execution | sometimes | expected |
| exploit validation | rare | core requirement |
| duplicate handling | partial | merges related findings |
| severity proof | weak unless configured | tied to impact and reproduction |
| fix guidance | generic | repo-specific |
Scanners such as CodeQL and Semgrep are valuable. The mistake is treating raw scanner output as an audit report.
The Agent Audit Loop
collect candidate findings
-> inspect code context
-> run build and tests
-> validate or reject exploit path
-> assign severity
-> write fix guidance
-> package evidenceThat loop is what Tangle Code Auditor should own. The model can propose hypotheses, but the runtime has to make the hypotheses answerable.
When A Scanner Is Enough
| Need | Scanner is enough? |
|---|---|
| dependency policy | often |
| banned API detection | often |
| secret patterns | often |
| release-blocking exploitability | no |
| smart contract severity | no |
| codebase-specific fix plan | no |
For release gates, the agent should preserve the raw tool output and the reasoning that changed or discarded it.
Triage Policy
Use scanners continuously because they are fast, consistent, and cheap. Use an agent audit when the result must be interpreted.
| Scanner result | Agent audit question |
|---|---|
| unsafe function call | is the input controlled by an attacker? |
| possible injection | does data reach the sink without validation? |
| vulnerable dependency | is the vulnerable code path used? |
| missing auth check | can an unauthorized actor call the function? |
| smart contract pattern | can the issue move funds or permissions? |
That policy makes both tools better. The scanner provides broad coverage. The agent spends time where context matters.
Release Gate
For release decisions, require an audit packet:
| Packet item | Why it matters |
|---|---|
| scanner output | preserves the raw signal |
| agent reasoning | explains keep, merge, or discard |
| reproduction | proves the issue where possible |
| severity | ties impact to real assets |
| fix path | gives engineering the next commit |
For the agent audit runtime, read AI Code Audit With Sandboxed Agents. For the report bar, read AI Security Audit With Reproducible Findings.
What To Avoid
Do not publish a report that merely restates scanner categories with AI-written paragraphs. That creates more review work and can bury real issues under noise. A good agent audit should make the issue list shorter and more defensible.
The right metric is not number of findings. The right metric is accepted fixes per reviewed finding, plus severe issues that came with enough proof for engineering to act immediately. If the agent creates fifty speculative issues and two are real, it has shifted work to the engineering team instead of reducing risk.
Track false-positive categories too. If the same scanner rule is always dismissed because a local wrapper sanitizes input, teach the audit profile that project-specific context. The scanner should keep coverage; the agent should keep memory of how this codebase works.
Source References
Use scanners with their own documentation open. CodeQL, GitHub’s CodeQL code scanning, Semgrep, and OWASP WSTG each describe different parts of the security review stack. An agent audit should cite which tool produced a signal and which repo-specific evidence kept or rejected it.
What This Does Not Prove
An agent audit is still scoped work. It does not prove there are no vulnerabilities. It gives a stronger evidence bar for the issues it reports and reduces noise from untriaged scanner output.
Decision Rule
Use scanners continuously. Use agent audit when a release, integration, or protocol change needs validated findings and fix guidance. Require reproduction before escalating severity.
FAQ
What is an AI vulnerability scanner?
It is software that uses rules, static analysis, or AI assistance to identify possible security issues in code.
What is an agent audit?
It is an audit workflow where an agent inspects context, runs commands, validates findings, and writes a report.
Which is better?
They solve different layers. Scanners are good at coverage and consistency. Agent audits are better for validation and triage.
Where does Tangle Code Auditor fit?
Tangle Code Auditor is the upcoming agent audit product for sandboxed, evidence-backed code security review.