THESIS: Context-Aware AI for Dependency Risk Management in CI/CD

Managing third-party dependencies is critical for software security, yet existing tools such as Dependabot treat all version updates and reported vulnerabilities as equally urgent. This lack of prioritization leads to alert fatigue and wasted developer effort. This thesis explores how AI can make dependency risk management more contextual and actionable in CI/CD environments. Specifically, it investigates methods for predicting which vulnerabilities are relevant to a given codebase, detecting emerging risks earlier than official CVE publication, and modeling attack paths within dependency graphs. A proof-of-concept system will be developed and evaluated against existing tools, with a focus on integrating AI-driven risk scoring into developer workflows in ways that support security without impeding delivery speed.

Modern tools such as Dependabot help maintain up-to-date dependencies, but they lack contextual awareness: all version updates and CVEs are flagged as equally critical, regardless of whether they truly affect a project. This creates alert fatigue and inefficient use of developer time. AI has the potential to make dependency management proactive and context-aware by ranking vulnerabilities based on real impact, surfacing early warning signals before official disclosure, and integrating seamlessly into developer workflows.

Bachelor's/Master's student in Computer Science or Computer Engineering with an interest in AI, software security, and DevOps.

This thesis will investigate how AI can enhance dependency risk management in CI/CD environments. The aim is to move beyond existing tools by:

• Predicting which vulnerabilities are relevant to a specific codebase
• Detecting emerging risks earlier than official disclosure (e.g., CVEs)
• Modeling how vulnerabilities propagate through dependency graphs
• Presenting results in ways that developers are more likely to act upon

A proof-of-concept system should be implemented and evaluated against current tools such as Dependabot.

The thesis will address the following objectives:

• Relevance prediction – Develop AI models that can estimate which vulnerabilities meaningfully affect a specific codebase.
• Early risk detection – Explore anomaly detection and NLP methods (e.g., on maintainer activity, commit history, release notes) to identify risks prior to official CVE disclosure.
• Attack-path modeling – Evaluate graph-based techniques, such as graph neural networks and dependency embeddings, for representing and analyzing vulnerability propagation through dependency trees.
• Workflow integration – Design mechanisms for embedding AI-driven risk scores into CI/CD pipelines in a way that balances security with delivery velocity.
• Prioritization learning – Investigate whether AI can learn from developer behavior to prioritize issues teams are realistically willing to address.
• Actionability of results – Assess presentation strategies (dashboards, PR annotations, Slack summaries) that increase the likelihood of developer response to identified risks.

In this thesis, investigate these questions:

Scope

• Investigating AI methods for predicting vulnerability relevance, early detection of risks, and modeling dependency attack paths.
• Implementing a proof-of-concept prototype that integrates into CI/CD workflows.
• Comparing the prototype primarily against existing tools such as Dependabot.
• Evaluating results on selected open-source projects or representative test environments.

Limitations

• The study does not aim to create a production-ready system, but rather to demonstrate feasibility.
• Results may be constrained by the availability and quality of vulnerability data (e.g., CVE/NVD listings, commit histories).
• The evaluation will be limited in scale and may not generalize to all languages, ecosystems, or organizational practices.
• Adversarial attacks against the AI models themselves (e.g., model poisoning) are outside the primary scope.
• Broader supply chain risks such as compromised build infrastructure or malicious maintainers are acknowledged but not addressed directly.

References:

• GitHub Dependabot:
• NVD (National Vulnerability Database):
• Kipf & Welling, Semi-Supervised Classification with Graph Convolutional Networks:
• Research on adversarial ML in software supply chains (various)