What CodeMender is and why it matters
At I/O 2026 DeepMind shared a substantial update on CodeMender, an autonomous agent built on Gemini Deep Think models that identifies vulnerabilities in code and — the non-trivial part — fixes them by rewriting the affected portions.
The difference from traditional scanners is exactly here: it doesn't stop at the alert. A concrete example cited by DeepMind is applying -fbounds-safety annotations to parts of the libwebp image compression library, a move that closes entire classes of buffer-bounds errors.
Reactive and proactive
CodeMender works on two fronts. In reactive mode, as soon as a vulnerability is reported, the agent proposes the patch. In proactive mode, it scans existing codebases to rewrite them using safer data structures and APIs, removing whole categories of bugs before they can be exploited.
The numbers
In the six months of development before the announcement, CodeMender has already upstreamed 72 security fixes to open source projects, including some with codebases up to 4.5 million lines of code. Numbers that, according to The New Stack, mark a shift in Google's positioning on agentic security: no longer just alert triage, but direct remediation.
Why it matters
The promise is to shrink the gap between discovery and mitigation toward zero, and — more importantly — to close entire classes of vulnerabilities rather than patch individual holes. It's the natural complement to the SOC agents shown at Cloud Next, which triage tens of thousands of alerts per month: there you filter, here you fix. For maintainers of open source libraries with legacy codebases and little audit budget, this is the most concrete news of the conference.