The software supply chain attacks are becoming more and more focused on trusted development and delivery procedures, so the conventional post-build integrity mechanisms cannot be used anymore. The available frameworks like SLSA, SBOM and in toto are majorly used to offer provenance and traceability but do not have the capabilities of actively identifying and removing vulnerabilities in software production. The current paper includes an example of agentic artificial intelligence (AI) based on autonomous software supply chain security that combines large language model (LLM)-based reasoning, reinforcement learning (RL), and multi-agent coordination. The suggested system utilizes specialized security agents coordinated with the help of LangChain and LangGraph, communicates with actual CI/CD environments with the Model Context Protocol (MCP), and documents all the observations and actions in a blockchain security ledger to ensure integrity and auditing. Reinforcement learning can be used to achieve adaptive mitigation strategies that consider the balance between security effectiveness and the operational overhead, and LLMs can be used to achieve semantic vulnerability analysis, as well as explainable decisions. This framework is tested based on simulated pipelines, as well as, actual world CI/CD integrations on GitHub Actions and Jenkins, including injection attacks, insecure deserialization, access control violations, and configuration errors. Experimental outcomes indicate better detection accuracy, shorter mitigation latency and reasonable build-time overhead than rule-based, provenance only and RL only baselines. These results show that agentic AI can facilitate the transition to self defending, proactive software supply chains rather than reactive verification ones.

翻译：软件供应链攻击日益聚焦于可信开发与交付流程，使得传统构建后完整性机制已无法适用。现有框架如SLSA、SBOM及in toto主要提供溯源与可追溯性，但缺乏在软件生产过程中主动识别与消除漏洞的能力。本文提出一种基于代理式人工智能（AI）的自主软件供应链安全框架，其融合了基于大语言模型（LLM）的推理、强化学习（RL）与多智能体协同技术。该系统通过LangChain与LangGraph协调专业化安全代理，借助模型上下文协议（MCP）与真实CI/CD环境交互，并将所有观测与操作记录于区块链安全账本以确保完整性与可审计性。强化学习用于实现兼顾安全效能与运行开销的自适应缓解策略，大语言模型则用于语义级漏洞分析与可解释决策。该框架在模拟流水线及真实世界的GitHub Actions与Jenkins CI/CD集成环境中进行测试，涵盖注入攻击、不安全反序列化、访问控制违规及配置错误等场景。实验结果表明，相较于基于规则、仅溯源及仅强化学习的基线方法，本框架在检测精度、缓解延迟及构建时开销方面均表现更优。这些结果证明，代理式人工智能能够推动软件供应链从被动验证向主动自主防御的范式转变。