GitHub Security Lab uses LLM taskflows to triage CodeQL security alerts and discover real-world vulnerabilities
Triaging security alerts is highly repetitive because false positives are caused by patterns obvious to human auditors but too fuzzy for traditional static analysis tools to encode as formal code patterns.
Attempting complex multi-step tasks within a single prompt context caused tasks to be skipped and instructions to go unfollowed; placing information-gathering logic directly in LLM prompts (rather than MCP server tools) produced inconsistent results due to LLM non-determinism.
Using LLM taskflows, the GitHub Security Lab quickly triaged a large number of CodeQL alerts and discovered approximately 30 real-world vulnerabilities since August, with results remaining fairly accurate even without automated validation.
Frequently asked questions
What did this team achieve with this AI workflow?
Using LLM taskflows, the GitHub Security Lab quickly triaged a large number of CodeQL alerts and discovered approximately 30 real-world vulnerabilities since August, with results remaining fairly accurate even without…
What tools did this team use?
GitHub Security Lab Taskflow Agent, CodeQL, Claude Sonnet 3.5, MCP servers, GitHub Issue.
What results were reported?
Real-world vulnerabilities discovered: ~30; Triage result accuracy: fairly accurate (source-reported, not independently verified).
What failed first in this deployment?
Attempting complex multi-step tasks within a single prompt context caused tasks to be skipped and instructions to go unfollowed; placing information-gathering logic directly in LLM prompts (rather than MCP server tool…
How is this quality assurance AI workflow structured?
CodeQL alert generation → Information collection → Audit for false positives → Bug report generation → Report validation → GitHub Issue creation → Human issue review → Dismissal reasons feedback.