Code Findings Agentic Triage

Overview

Agentic Triage is an AI-based capability that runs on top of the Code Security Check (SAST) in your repository integrations. For each code finding, it uses an LLM to assess whether the finding is a real vulnerability or a false positive, and returns that assessment together with a plain-language explanation of its reasoning.

The goal is to cut false-positive noise so your teams spend their time on the findings that actually warrant attention.

Agentic Triage is available in the Mend Developer Platform across the supported SCM integrations. For the exact behavior and screenshots in your environment, see the per-SCM guides linked in the viewing the results section.

How it works

When Code Security Check produces a finding, Agentic Triage analyzes the finding together with its data flow and surrounding code context, and returns:

  • an outcome — True Positive, Inconclusive, or False Positive;

  • an explanation — a structured breakdown of the evidence behind the outcome (for example: the vulnerable location, the relevant sanitizer or validator, control-flow coverage, and CWE relevance);

Note: AI results are advisory and are not perfect. Treat Agentic Triage outcomes as a prioritization aid, not a final decision — a False Positive assessment does not automatically dismiss a finding, and outcomes should be validated by a human before you act on them.

Prerequisites

Agentic Triage requires the following to be set before enabling the AI-based triaging.

  1. AI addendum signed (AI Consent). Your organization must sign an addendum to your Mend contract that consents to AI processing. Contact your CSM to initiate this. Without it, the feature cannot be enabled.

  2. Enable in the Mend Platform. An organization administrator enables the feature in the Mend Platform under Administration → General by toggling on Code Findings Triage.

image-20260713-144804.png
  1. Enable in the Developer Platform. Enable the feature in the Code Security section of the Developer Platform settings.

image-20260713-144820.png

When enabled, snippets of your source code and finding details are shared with Mend.io's AI model to classify, prioritize, and provide triage insights. Disabling the option prevents any code from being shared with the model and turns off Agentic Triage entirely.

Understanding the results

Every analyzed finding receives one of three outcomes, visible in the Code Security Report:

Outcome

Meaning

True Positive

The AI assesses the finding as a real, exploitable vulnerability. An exploitation path is provided

Inconclusive

There is insufficient information to determine whether the finding is a true or false positive

False Positive

The AI assesses the finding as not exploitable / not a real issue

Unknown

Mend doesn’t support AI Triage for this type of vulnerability

Skipped

The triage for this vulnerability was disabled by the user

Error

There was an error when processing the results

To review the analysis for a finding, expand the triage result under that finding to see the outcome, then expand the Explanation to see the full evidence breakdown. For True Positives, the exploitation path is included in the breakdown.

image-20260713-152151.png
An example of the full evidence breakdown under the Explanation per finding

Supported languages

Agentic Triage supports the following languages:

  • Java

  • JavaScript / TypeScript

  • Go

  • Python

  • C#

  • Ruby

  • Kotlin

  • PHP

  • Scala

  • Rust

  • C++

Supported CWEs

  • CWE-89 SQL Injection

  • CWE-79 Cross-Site Scripting

  • CWE-78 OS Command Injection

  • CWE-94 Code Injection

  • CWE-22 Path Traversal

  • CWE-73 External Control of File Name/Path

  • CWE-918 Server-Side Request Forgery

  • CWE-90 LDAP Injection

  • CWE-943 NoSQL Injection

  • CWE-643 XPath Injection

  • CWE-611 XML External Entity

  • CWE-502 Deserialization of Untrusted Data

  • CWE-113 HTTP Response Splitting / Header Injection

  • CWE-113 HTTP Response Splitting

  • CWE-117 Log Injection / Log Forging

  • CWE-200 Sensitive Information Exposure

  • CWE-501 Trust Boundary Violation

  • CWE-601 Open Redirect

  • CWE-1333 ReDoS

  • CWE-798 Use of Hard-coded Credentials

  • CWE-327 Broken/Risky Crypto Algorithm

  • CWE-328 Use of Weak Hash

  • CWE-338 Cryptographically Weak PRNG

  • Cookie Without ‘Secure’ Flag

  • CWE-1004 Cookie Without ‘HttpOnly’ Flag

  • CWE-295 Improper Certificate Validation

  • CWE-319 Cleartext Transmission

Viewing the results

Agentic Triage results appear in the Code Security Report in the Mend Developer Platform and in your SCM. The exact UI, indicators, and steps differ slightly per integration. See the guide for your SCM:

Limitations

  • Agentic Triage currently covers SAST (Code Security) findings only. AI triage for other engines (SCA, Containers, etc.) is out of scope.

  • AI outcomes are advisory and not guaranteed to be correct; validate before acting.