Codetective: Building a Multi-Agent System for Comprehensive Code Review

How I built a system combining SemGrep, Trivy, and AI, orchestrated by LangGraph, to solve real-world code analysis challenges.

Completing Module 2 of the Ready Tensor Agentic AI Developer Certification was a defining moment. The project required me to design and implement a multi-agent system that leverages collaboration to solve a complex problem. I chose code security and quality — and the result is Codetective 🔎.

🔗Certification: https://app.readytensor.ai/certificates/896e63fd-f2d4-455d-aa66-02d1a102cce6

Key Features that Redefine Code Review

Codetective is designed to be useful during day-to-day development and code review. It’s built around several key capabilities:

• Unified Multi-Agent Scanning: Instead of running three separate tools, Codetective executes a coordinated scan using SemGrep, Trivy, and a Dynamic AI Review Agent. This coordinated approach, managed by LangGraph, provides a single, coherent picture of all issues.
• Automated Fixing: This is where the AI truly adds value. Codetective can automatically suggest and apply fixes using its Edit Agent, or insert concise, helpful Comment Agent notes directly into the code. This dramatically accelerates remediation time.
• Developer-Friendly Interfaces: Recognizing that developers work in different environments, Codetective offers both a robust Command-Line Interface (CLI) for CI/CD integration and a modern, interactive Web GUI (NiceGUI) for visual issue management and selective fix application.

A Team of Specialized Agents, Orchestrated by LangGraph

The core of Codetective is a robust, modular architecture built using LangGraph. This framework was essential for defining the roles, state, and communication flow between my three primary scanning agents:

1. SemGrep Agent: The Static Analysis Expert. It performs fast, pattern-based SAST scanning, catching common anti-patterns and known security issues defined by rules.
2. Trivy Agent: The Vulnerability and Misconfiguration Specialist. It focuses on external dependencies, checking for CVEs and configuration weaknesses across the repository.
3. Dynamic AI Review Agent: The Contextual Reasoning Engine. Powered by a local LLM (Ollama), this agent reasons about code logic, best practices, and security gaps that rule-based tools often miss.

The LangGraph orchestrator ensures that the findings from these diverse agents are unified into a single, standardized JSON output, providing a holistic view of the codebase’s health.

Moving from Detection to Remediation

What truly elevates Codetective beyond a standard scanner is its ability to not just detect problems, but to offer actionable, automated remediation. This is handled by two specialized Output Agents:

• Edit Agent: Generates and applies minimal, targeted code fixes automatically, directly resolving the issue in the codebase.
• Comment Agent: For less intrusive feedback, it generates concise explanatory TODO comments directly adjacent to the problematic line, ideal for use during an active code review.

This capability transforms code scanning from a static reporting process into a dynamic remediation workflow.

Usability for the Real World

To ensure Codetective is practical for day-to-day development, I integrated dual interfaces: a powerful CLI for automation and CI/CD integration, and a modern Web GUI (NiceGUI) for interactive code review and fix application.

Conclusion: Onward to Production

The journey continues as I now shift to Module 3, focusing on productionizing Codetective by implementing comprehensive testing, security guardrails, and operational resilience.

See it in action:

📽️ Demo Video: https://youtu.be/cmb_k1Je8zs

🌟 GitHub Repo: https://github.com/Eng-Elias/codetective