Toward Autonomous DevSecOps Agents: Cross-Oracle Validation for Future AI-Driven Software Supply Chains

Main article

Nur Aisyah Rahman
Department of Software Engineering, Universiti Teknikal Malaysia Melaka, Melaka, Malaysia, 76100
Hafizuddin Yusof
Faculty of Computing, Universiti Malaysia Pahang Al-Sultan Abdullah, Pekan, Malaysia, 26600
Mei Wen Tan*
School of Computer and Communication Engineering, Universiti Malaysia Perlis, Arau, Malaysia, 02600
meiwen.tan@unimap.edu.my

DOI: https://doi.org/10.63646/INFP2559

Abstract

Autonomous DevSecOps agents are beginning to change how software organizations discover, prioritize, repair, and release security patches. Yet an agent that produces a plausible patch is not necessarily producing a reliable security fix. A patch may compile, pass unit tests, silence a scanner warning, or block the original proof-of-concept exploit while still failing semantically equivalent exploit variants, missing the vulnerability root cause, or introducing release-level regressions. This article develops a forward-looking analytical framework for cross-oracle validation in AI-driven software supply chains. The proposed framework treats patch validation as a business risk analytics problem rather than a narrow code-correctness problem. It integrates agentic patch proposal, evidence collection, oracle-strength sequencing, exploit-variant testing, root-cause conformance review, regression safety, and release governance into a single decision pipeline. A diagnostic data analysis is conducted on a constructed enterprise workflow benchmark of 72 vulnerability repair tickets and 360 AI-generated patch candidates across six workflow domains. Results show that original exploit blocking accepts 82% of generated patches, whereas full cross-oracle release approval accepts 51%, producing a 31-percentage-point validation gap. Cloud infrastructure-as-code and identity-access workflows show the highest oracle divergence, while dependency upgrade workflows show the strongest regression-risk profile. The analysis further indicates that a cross-oracle agent reduces residual release risk by 37% relative to a single-oracle agent, although it increases median validation delay by 2.8 hours. The article contributes a business-oriented evaluation architecture for future DevSecOps agents and offers governance recommendations for integrating automated patch repair into software supply chain risk management.

Article details