Google launched CodeMender — an AI agent for automatically finding vulnerabilities

Google has expanded access to CodeMender, an AI agent designed for automated vulnerability detection and remediation in code. The company announced this at the Google I/O conference, strengthening its position in the AI security space.

What is CodeMender?

CodeMender is an AI agent based on the Gemini model, developed specifically to protect source code. The tool analyzes code for potential vulnerabilities, and not only finds them but also offers ready-made patches with explanations. This significantly reduces the burden on security teams and enables developers to address security issues directly during the coding process, before the code reaches production.

CodeMender understands the project context: it recognizes dependencies, function call chains, and the libraries being used. This makes its recommendations more accurate than simple static analyzers.

How It Works

The agent integrates with developers' familiar IDEs and CI/CD systems through plugins and APIs. When a developer uploads, modifies, or reviews code, CodeMender scans it:

• Detects classic vulnerabilities — SQL injection, XSS, buffer overflow, insecure deserialization
• Analyzes program logic and call chains for security issues
• Offers specific patches with explanations of the risk and how to fix it
• Integrates with GitHub, GitLab, Gitea, and other version control platforms
• Works at both the individual file level and across the entire project
• Learns from vulnerability patterns and improves over time

Previously, such checks required either manual audits (expensive, slow) or costly security tools (difficult to integrate). CodeMender makes a basic level of protection accessible to every developer.

Response to Competitors

Google is entering an intense race with OpenAI and Anthropic. OpenAI is developing Operator and other agents for code and browser interaction. Anthropic is working on its own developer tools. All three companies understand one thing: cybersecurity is not just a feature in AI tools, it is a separate business direction for the future.

Google leverages its advantage: massive Google Cloud infrastructure, integration into the Android, Chrome, Gmail, and other services ecosystem where security is critical. If CodeMender becomes an industry standard, Google will gain enormous amounts of data about real-world vulnerability types and will be able to further improve the Gemini model.

What This Means

Security is transitioning from reactive (catching bugs in production) to proactive (preventing them during development). For developers, this means fewer sleepless nights due to incidents. For companies, it means reduced costs for security personnel and audits. For Google, it means strengthening its position in the cloud ecosystem and gaining another lever of influence over millions of developers.