This website uses cookies to ensure you get the best experience.

Knightec Group and our selected partners use cookies and similar technologies (together “cookies”) that are necessary to present this website, and to ensure you get the best experience of it. If you consent to it, we will also use cookies for analytics purposes.

See our Cookie Policy to read more about the cookies we set.

You can withdraw and manage your consent at any time, by clicking “Manage cookies” at the bottom of each website page.

Select which cookies you accept

On this site, we always set cookies that are strictly necessary, meaning they are necessary for the site to function properly.

If you consent to it, we will also set other types of cookies. You can provide or withdraw your consent to the different types of cookies using the toggles below. You can change or withdraw your consent at any time, by clicking the link “Manage Cookies”, that is always available at the bottom of the site.

To learn more about what the different types of cookies do, how your data is used when they are set etc, see our Cookie Policy.

These cookies are necessary to make the site work properly, and are always set when you visit the site.

Vendors Teamtailor

These cookies collect information to help us understand how the site is being used.

Vendors Teamtailor
Knightec Group career site
Thesis · Sundsvall

THESIS: Context-Aware AI for Dependency Risk Management in CI/CD

Join us for your thesis work! Gain hands-on experience, work on real projects, and develop your skills in a supportive and innovative environment!

Abstract

Managing third-party dependencies is critical for software security, yet existing tools such as Dependabot treat all version updates and reported vulnerabilities as equally urgent. This lack of prioritization leads to alert fatigue and wasted developer effort. This thesis explores how AI can make dependency risk management more contextual and actionable in CI/CD environments. Specifically, it investigates methods for predicting which vulnerabilities are relevant to a given codebase, detecting emerging risks earlier than official CVE publication, and modeling attack paths within dependency graphs. A proof-of-concept system will be developed and evaluated against existing tools, with a focus on integrating AI-driven risk scoring into developer workflows in ways that support security without impeding delivery speed.

High level description

Modern tools such as Dependabot help maintain up-to-date dependencies, but they lack contextual awareness: all version updates and CVEs are flagged as equally critical, regardless of whether they truly affect a project. This creates alert fatigue and inefficient use of developer time. AI has the potential to make dependency management proactive and context-aware by ranking vulnerabilities based on real impact, surfacing early warning signals before official disclosure, and integrating seamlessly into developer workflows.

Who are we looking for?

Bachelor’s/Master’s student in Computer Science or Computer Engineering with an interest in AI, software security, and DevOps.

Project description

This thesis will investigate how AI can enhance dependency risk management in CI/CD environments. The aim is to move beyond existing tools by:

  • Predicting which vulnerabilities are relevant to a specific codebase
  • Detecting emerging risks earlier than official disclosure (e.g., CVEs)
  • Modeling how vulnerabilities propagate through dependency graphs
  • Presenting results in ways that developers are more likely to act upon

A proof-of-concept system should be implemented and evaluated against current tools such as Dependabot.

Objectives

The thesis will address the following objectives:

  • Relevance prediction – Develop AI models that can estimate which vulnerabilities meaningfully affect a specific codebase.
  • Early risk detection – Explore anomaly detection and NLP methods (e.g., on maintainer activity, commit history, release notes) to identify risks prior to official CVE disclosure.
  • Attack-path modeling – Evaluate graph-based techniques, such as graph neural networks and dependency embeddings, for representing and analyzing vulnerability propagation through dependency trees.
  • Workflow integration – Design mechanisms for embedding AI-driven risk scores into CI/CD pipelines in a way that balances security with delivery velocity.
  • Prioritization learning – Investigate whether AI can learn from developer behavior to prioritize issues teams are realistically willing to address.
  • Actionability of results – Assess presentation strategies (dashboards, PR annotations, Slack summaries) that increase the likelihood of developer response to identified risks.

Scope and Limitations

In this thesis, investigate these questions:

Scope

  • Investigating AI methods for predicting vulnerability relevance, early detection of risks, and modeling dependency attack paths.
  • Implementing a proof-of-concept prototype that integrates into CI/CD workflows.
  • Comparing the prototype primarily against existing tools such as Dependabot.
  • Evaluating results on selected open-source projects or representative test environments.

Limitations

  • The study does not aim to create a production-ready system, but rather to demonstrate feasibility.
  • Results may be constrained by the availability and quality of vulnerability data (e.g., CVE/NVD listings, commit histories).
  • The evaluation will be limited in scale and may not generalize to all languages, ecosystems, or organizational practices.
  • Adversarial attacks against the AI models themselves (e.g., model poisoning) are outside the primary scope.
  • Broader supply chain risks such as compromised build infrastructure or malicious maintainers are acknowledged but not addressed directly.

References:

Business unit
Thesis
Role
Bachelor thesis
Locations
Sundsvall
Picture of Johanna Edström
Contact Johanna Edström Team Manager – Thesis
Thesis · Sundsvall

THESIS: Context-Aware AI for Dependency Risk Management in CI/CD

Join us for your thesis work! Gain hands-on experience, work on real projects, and develop your skills in a supportive and innovative environment!

Loading application form

Already working at Knightec Group?

Let’s recruit together and find your next colleague.