Overview
Agentic Triage is an AI-based capability that runs on top of the Code Security Check (SAST) in your repository integrations. For each code finding, it uses an LLM to assess whether the finding is a real vulnerability or a false positive, and returns that assessment together with a plain-language explanation of its reasoning.
The goal is to cut false-positive noise so your teams spend their time on the findings that actually warrant attention.
Agentic Triage is available in the Mend Developer Platform across the supported SCM integrations. For the exact behavior and screenshots in your environment, see the per-SCM guides linked in the viewing the results section.
How it works
When Code Security Check produces a finding, Agentic Triage analyzes the finding together with its data flow and surrounding code context, and returns:
-
an outcome — True Positive, Inconclusive, or False Positive;
-
an explanation — a structured breakdown of the evidence behind the outcome (for example: the vulnerable location, the relevant sanitizer or validator, control-flow coverage, and CWE relevance);
Note: AI results are advisory and are not perfect. Treat Agentic Triage outcomes as a prioritization aid, not a final decision — a False Positive assessment does not automatically dismiss a finding, and outcomes should be validated by a human before you act on them.
Prerequisites
Agentic Triage requires the following to be set before enabling the AI-based triaging.
-
AI addendum signed (AI Consent). Your organization must sign an addendum to your Mend contract that consents to AI processing. Contact your CSM to initiate this. Without it, the feature cannot be enabled.
-
Enable in the Mend Platform. An organization administrator enables the feature in the Mend Platform under Administration → General by toggling on Code Findings Triage.
-
Enable in the Developer Platform. Enable the feature in the Code Security section of the Developer Platform settings.
When enabled, snippets of your source code and finding details are shared with Mend.io's AI model to classify, prioritize, and provide triage insights. Disabling the option prevents any code from being shared with the model and turns off Agentic Triage entirely.
Understanding the results
Every analyzed finding receives one of three outcomes, visible in the Code Security Report:
|
Outcome |
Meaning |
|---|---|
|
True Positive |
The AI assesses the finding as a real, exploitable vulnerability. An exploitation path is provided |
|
Inconclusive |
There is insufficient information to determine whether the finding is a true or false positive |
|
False Positive |
The AI assesses the finding as not exploitable / not a real issue |
|
Unknown |
Mend doesn’t support AI Triage for this type of vulnerability |
|
Skipped |
The triage for this vulnerability was disabled by the user |
|
Error |
There was an error when processing the results |
To review the analysis for a finding, expand the triage result under that finding to see the outcome, then expand the Explanation to see the full evidence breakdown. For True Positives, the exploitation path is included in the breakdown.
Supported languages
Agentic Triage supports the following languages:
-
Java
-
JavaScript / TypeScript
-
Go
-
Python
-
C#
-
Ruby
-
Kotlin
-
PHP
-
Scala
-
Rust
-
C++
Supported CWEs
-
CWE-89 SQL Injection
-
CWE-79 Cross-Site Scripting
-
CWE-78 OS Command Injection
-
CWE-94 Code Injection
-
CWE-22 Path Traversal
-
CWE-73 External Control of File Name/Path
-
CWE-918 Server-Side Request Forgery
-
CWE-90 LDAP Injection
-
CWE-943 NoSQL Injection
-
CWE-643 XPath Injection
-
CWE-611 XML External Entity
-
CWE-502 Deserialization of Untrusted Data
-
CWE-113 HTTP Response Splitting / Header Injection
-
CWE-113 HTTP Response Splitting
-
CWE-117 Log Injection / Log Forging
-
CWE-200 Sensitive Information Exposure
-
CWE-501 Trust Boundary Violation
-
CWE-601 Open Redirect
-
CWE-1333 ReDoS
-
CWE-798 Use of Hard-coded Credentials
-
CWE-327 Broken/Risky Crypto Algorithm
-
CWE-328 Use of Weak Hash
-
CWE-338 Cryptographically Weak PRNG
-
Cookie Without ‘Secure’ Flag
-
CWE-1004 Cookie Without ‘HttpOnly’ Flag
-
CWE-295 Improper Certificate Validation
-
CWE-319 Cleartext Transmission
Viewing the results
Agentic Triage results appear in the Code Security Report in the Mend Developer Platform and in your SCM. The exact UI, indicators, and steps differ slightly per integration. See the guide for your SCM:
Limitations
-
Agentic Triage currently covers SAST (Code Security) findings only. AI triage for other engines (SCA, Containers, etc.) is out of scope.
-
AI outcomes are advisory and not guaranteed to be correct; validate before acting.