Google has released CodeAudit, an open-source framework for automated security-focused code review that integrates with popular CI/CD pipelines. The tool uses a combination of static analysis and large language model inference to identify potential vulnerabilities, misconfigurations, and insecure coding patterns.
In internal benchmarks, CodeAudit detected 91% of known vulnerability types in the OWASP Top 10, with a false positive rate of just 8%. The framework supports Java, Python, Go, JavaScript, and Rust, with community contributors already working on support for additional languages.
Google emphasized that CodeAudit is not intended to replace human security reviewers but rather to augment them by handling routine checks and flagging areas that warrant closer inspection. The project is available under the Apache 2.0 license on GitHub.
