Building a Multi-agent App for Dependency Security Automation with LangGraph and Node.js

In modern software development, managing dependencies is crucial to ensure security, maintainability, and compliance. Outdated or vulnerable dependencies pose serious risks such as security breaches, system downtime, or compliance issues. Automating dependency management not only streamlines the process but also minimizes human error, strengthening your software’s security lifecycle.

This guide walks you through building a scalable Multi-agent system to automate dependency security checks using LangGraph and Node.js. By the end, you’ll have a functioning system and insights on how to tailor it for your unique requirements.

What Are Multi-agent Systems?

Multi-agent systems involve multiple specialized agents working together to achieve a common goal. Each agent performs a distinct role, such as data collection, analysis, decision-making, or reporting. Using LangGraph simplifies the development of these workflows by defining tasks as nodes and managing communication between them.

Key benefits include:

• Scalability: Add, modify, or replace agents with minimal effort.
• Flexibility: Conditional logic ensures only necessary steps are executed.
• Maintainability: Focused responsibilities make debugging and updates easier.

Why Use LangGraph?

LangGraph is a powerful library designed for orchestrating Multi-agent workflows. It connects independent tasks (agents) in a structured sequence, facilitating seamless collaboration.

Core features include:

• Node Definitions: Each agent is defined as a node in the workflow.
• Edge Management: Connections between nodes control the sequence and logic.
• State Handling: Data is efficiently passed between nodes with a predictable structure.

LangGraph abstracts complex coordination logic, enabling developers to concentrate on implementing agent logic rather than workflow mechanics.

Creating a Multi-agent Dependency Scanner with LangGraph

The following structure outlines the workflow we’ll build:

• Dependency Scanner: Reads the package.json file to identify dependencies and their versions. If no dependencies are found, the workflow ends here.
• Vulnerability Analyzer: Uses Gemini (gemini-1.5-flash) to assess identified dependencies for known vulnerabilities.
• Secure Alternatives Generator: Suggests secure, updated alternatives using OpenAI GPT-4o-mini.
• Report Generator: Compiles the findings into a clear, actionable report.

Step 1: Project Setup

Start by installing Node.js if it’s not already installed. Then initialize the project with the following commands:

mkdir dependency-scanner-agent
cd dependency-scanner-agent
npm init -y
npm install @langchain/langgraph @langchain/core @langchain/google-genai @langchain/openai dotenv
npm install -D typescript ts-node @types/node
npx tsc --init

Modify your tsconfig.json file to include:

{
  "compilerOptions": {
    "target": "ES2020",
    "module": "CommonJS",
    "strict": true,
    "esModuleInterop": true,
    "outDir": "./dist",
    "rootDir": "./src"
  },
  "include": ["src"],
  "exclude": ["node_modules"]
}

Your project structure should look like this:

dependency-scanner-agent/
├── src/
│   ├── index.ts
│   ├── agent.ts
│   └── nodes/
│       ├── dependencyScanner.ts
│       ├── vulnerabilityAnalyzer.ts
│       ├── secureAlternatives.ts
│       ├── reportGenerator.ts
├── README.md
├── package.json
├── tsconfig.json

Step 2: Configure API Credentials

Create a .env file in your project’s root directory and add your API keys:

OPENAI_API_KEY=your_openai_api_key
GEMINI_API_KEY=your_gemini_api_key

Step 3: Implementing the Agents

1. Agent State and Routing Create agent.ts to define the state structure and routing logic.
2. Dependency Scanner Create dependencyScanner.ts to read the package.json file and extract dependencies.
3. Vulnerability Analyzer Create vulnerabilityAnalyzer.ts to assess dependency vulnerabilities using Gemini.
4. Secure Alternatives Generator Create secureAlternatives.ts to suggest updated dependencies using GPT-4o-mini.
5. Report Generator Create reportGenerator.ts to compile all results into a readable report.

Step 4: Workflow Definition

Define the complete workflow in index.ts, combining all agents using LangGraph’s StateGraph:

import { StateGraph, START, END } from "@langchain/langgraph";
...
const builder = new StateGraph(DependencyRiskAnnotation)
  .addNode('dependencyScanner', dependencyScanner)
  .addNode('vulnerabilityAnalyzer', vulnerabilityAnalyzer)
  .addNode('secureAlternatives', secureAlternatives)
  .addNode('reportGenerator', reportGenerator)
  .addEdge(START, 'dependencyScanner')
  .addConditionalEdges('dependencyScanner', routingFunction, [END, 'vulnerabilityAnalyzer'])
  .addEdge('vulnerabilityAnalyzer', 'secureAlternatives')
  .addEdge('secureAlternatives', 'reportGenerator')
  .addEdge('reportGenerator', END);

const securityGraph = builder.compile();
await securityGraph.invoke({ filePath: './package-example.json' });

Step 5: Running the Application

Add the following entry to your scripts section in package.json:

"scripts": {
  "start": "ts-node src/index.ts"
}

Run the application using:

npm run start

The generated report will be saved as dependency_security_report.md.

Final Thoughts

This guide demonstrates how LangGraph.js simplifies the automation of complex workflows by combining powerful tools like OpenAI and Gemini. By leveraging LangGraph’s modular structure, developers can efficiently build scalable, adaptable systems that enhance software security.

Future Improvements

Consider enhancing your project with:

• Support for Python and Ruby Dependencies: Extend the tool to handle requirements.txt and Gemfile dependencies.
• CI/CD Integration: Automate the agent to run during the build process for ongoing security.
• Notifications: Send alerts via Slack or email for critical vulnerabilities.