AI is for Aardvark: OpenAI launches continuous code analyzer

When it comes to software tools listed first alphabetically, OpenAI isn’t messing around.

Just a day after founder Sam Altman said OpenAI aims to become “a true platform” for app builders, the company introduced a new agentic coding tool dubbed “Aardvark.” Although still in beta, Aardvark is intended to help software developers automate the difficult task of finding and fixing codebase vulnerabilities.

The Aardist’s way. During the Oct. 30 unveiling, OpenAI announced that Aardvark (which it termed an “agentic security researcher”) is powered by GPT-5, its latest large language model (LLM). According to the company’s blog post breaking down the features, Aardvark:

• Uses LLM-powered reasoning—as opposed to traditional cybersecurity methods like fuzzing or software composition analysis—to monitor new codebase changes (also known as commits), find vulnerabilities, and propose fixes.
• Analyzes a full code repo, scanning its history to “identify existing issues”
• Integrates with GitHub and explains found vulnerabilities, “annotating code for human review”
• Can test a vulnerability’s impact in an isolated, sandboxed environment
• Can also attach a patch for subsequent developer review

Is this a revolutionary development in cybersecurity? “Most of these AI tools find things that you can’t find manually,” Avivah Litan, distinguished VP analyst at market-intel firm Gartner, said of the coding assistants on the market today. Litan added that Aardvark demonstrates OpenAI is “​​putting the infrastructure together for application developers to make applications.”

Agentic ideas. Stephen Bennett, director of cloud-native applications practice at Soliant Consulting, and his team have a quarterly maintenance process for production applications—a manual effort to ensure security packages and libraries are up to date. Bennett also built an agentic tool from scratch, which connects with the team’s code-hosting tool Bitbucket and identifies potential security vulnerabilities in new pull requests.

It’s a bit like the “commit scanning” promised by Aardvark.

When code changes at Soliant are detected, all the code for the pull request provides context to an LLM, which then provides a structured output of whichever security vulnerabilities and errors an AI agent is trained to detect.

Aardvark’s commit scanner likely offers a similar functionality with broader context, Bennett said, and he sees a tool like Aardvark helping developer teams if it can truly scan a full code repository as claimed.

“It’s one thing to look at the commit that’s coming in and say, ‘Hey, I can see that you’re using this new library or this new package, and there’s a known security vulnerability with that,” Bennett told IT Brew. “But if it doesn’t have the larger context of the application, it may not understand some additional security pieces or vulnerabilities that you might be introducing with your pull request.”

It’s buggy out. AI has found its way into the code-scanning process, and autonomous capabilities exist in a range of products, including GitHub Copilot, Amazon CodeGuru Security, Snyk Code, and academic projects like SWE-agent.

These bots must cover an immense number of software vulnerabilities. Over 40,000 common vulnerabilities and exposures (CVEs) were published in 2024—an increase from the still-gigantic 28,818 CVEs published in 2023. According to Verizon’s 2024 Data Breach Investigations Report, vulnerability exploits were an initial access vector in 20% of breaches.

Poised for noise. An important consideration for Patrick Garrity, security researcher for exploit-intel company VulnCheck, with an AI-powered tool like Aardvark: determining the ratio of noise to value. “If you have a bunch of findings that now you have to triage, naturally, it takes humans to do that work,” he said.

While you certainly can’t automatically trust an AI output without doing some verification, Litan said, a developer still needs AI capabilities to view all alerts, prioritize them, and provide content: “It’s AI versus AI these days. You just can’t do this without it.”