en.Wedoany.com Reported - Google announced at the Google I/O 2026 developer conference on May 19 that it is officially opening its in-house code security AI agent, CodeMender, to select invited security experts and partners in the form of an API. This marks a crucial step for the security tool's transition from internal use to an external ecosystem. At the conference, Google DeepMind CTO Koray Kavukcuoglu positioned CodeMender as an AI agent that can "help protect the world's codebases," capable of both discovering vulnerabilities and providing remediation solutions.

CodeMender is built on Google's Gemini Deep Think reasoning model. It does not simply scan for vulnerabilities and issue alerts; instead, it forms an automated closed loop encompassing detection, remediation, and verification. The system utilizes a variety of program analysis tools, including static analysis, dynamic analysis, fuzz testing, and SMT solvers, to scan codebases, identify potential security flaws, generate precise patch proposals, and then automatically verify whether these modifications truly fix the issue, adhere to code style guidelines, and avoid introducing new regression errors. Only after completing multi-dimensional verification are patches submitted to human developers for review.

Since its inception, CodeMender has submitted 72 security fix patches upstream to open-source projects, some involving codebases as large as 4.5 million lines. Taking the libwebp image compression library as an example, CodeMender hardened critical parts of the code by adding compiler boundary check flags. DeepMind engineers noted in a technical blog post that if this compiler flag had existed before the discovery of the libwebp zero-day vulnerability CVE-2023-4863 in 2023, attackers would not have been able to exploit it for intrusion. This case demonstrates that CodeMender is not only fixing known vulnerabilities but also proactively rewriting code to eliminate entire classes of vulnerabilities.

The industry context for CodeMender's API release is noteworthy. In April this year, Anthropic's Claude Mythos Preview demonstrated powerful vulnerability discovery capabilities in the AI security field. In authorized testing collaborations, the Mozilla Firefox security team used Mythos to fix 423 security vulnerabilities in one month, a 13-fold increase year-over-year. Of these, 271 were directly discovered by Mythos, and 180 were rated as high severity. Mythos also unearthed long-dormant vulnerabilities that had existed for 15 to 20 years and repeatedly discovered high-risk vulnerabilities at the sandbox escape level.

Google CEO Sundar Pichai publicly commented on Mythos during a press conference this Monday: "Mythos' achievement—and credit to them for this—is proving that the largest-scale models do have value in these kinds of security use cases." In an interview, Kavukcuoglu further confirmed that Google is already in discussions with multiple governments and enterprises about using the CodeMender audit system.

CodeMender is advancing through an open API approach. Several Gemini Enterprise customers are currently testing CodeMender, though Google has yet to announce a formal timeline for full public availability. Meanwhile, OpenAI has also launched its own security AI product, shaping a diversified technological supply landscape in the AI code security field.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com