English

RepoAudit: An Autonomous LLM-Agent for Repository-Level Code Auditing

Software Engineering 2025-06-02 v3 Programming Languages

Abstract

Code auditing is the process of reviewing code with the aim of identifying bugs. Large Language Models (LLMs) have demonstrated promising capabilities for this task without requiring compilation, while also supporting user-friendly customization. However, auditing a code repository with LLMs poses significant challenges: limited context windows and hallucinations can degrade the quality of bug reports, and analyzing large-scale repositories incurs substantial time and token costs, hindering efficiency and scalability. This work introduces an LLM-based agent, RepoAudit, designed to perform autonomous repository-level code auditing. Equipped with agent memory, RepoAudit explores the codebase on demand by analyzing data-flow facts along feasible program paths within individual functions. It further incorporates a validator module to mitigate hallucinations by verifying data-flow facts and checking the satisfiability of path conditions associated with potential bugs, thereby reducing false positives. RepoAudit detects 40 true bugs across 15 real-world benchmark projects with a precision of 78.43%, requiring on average only 0.44 hours and $2.54 per project. Also, it detects 185 new bugs in high-profile projects, among which 174 have been confirmed or fixed. We have open-sourced RepoAudit at https://github.com/PurCL/RepoAudit.

Keywords

Cite

@article{arxiv.2501.18160,
  title  = {RepoAudit: An Autonomous LLM-Agent for Repository-Level Code Auditing},
  author = {Jinyao Guo and Chengpeng Wang and Xiangzhe Xu and Zian Su and Xiangyu Zhang},
  journal= {arXiv preprint arXiv:2501.18160},
  year   = {2025}
}

Comments

18 pages, 11 tables, 6 figures, 3 listings

R2 v1 2026-06-28T21:25:06.345Z