惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Proofpoint News Feed
Recent Announcements
Recent Announcements
MongoDB | Blog
MongoDB | Blog
U
Unit 42
云风的 BLOG
云风的 BLOG
Recorded Future
Recorded Future
G
Google Developers Blog
I
InfoQ
Blog — PlanetScale
Blog — PlanetScale
A
About on SuperTechFans
Jina AI
Jina AI
量子位
宝玉的分享
宝玉的分享
The Cloudflare Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 聂微东
Last Week in AI
Last Week in AI
WordPress大学
WordPress大学
美团技术团队
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tailwind CSS Blog
博客园 - 司徒正美
博客园 - 叶小钗
Hugging Face - Blog
Hugging Face - Blog
P
Palo Alto Networks Blog
博客园_首页
阮一峰的网络日志
阮一峰的网络日志
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
The GitHub Blog
The GitHub Blog
Y
Y Combinator Blog
Vercel News
Vercel News
Martin Fowler
Martin Fowler
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Forbes - Security
Forbes - Security
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
P
Privacy International News Feed
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
C
Cyber Attacks, Cyber Crime and Cyber Security
AI
AI
V2EX - 技术
V2EX - 技术

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Building Trusted AI Development With Kiro and Sonatype Guide
Aaron Linskens · 2026-05-18 · via 2024 Sonatype Blog

AI-powered development tools accelerate the production of software. But they also introduce a familiar challenge: how do you ensure that what's generated is secure, compliant, and trustworthy?

The answer lies in context. AI-generated code is only as reliable as the data and intelligence behind it. Without the right context from AI code security tools, development speed can quickly turn into risk.

Vulnerable dependencies, license issues, and low-quality components can enter the software supply chain faster than ever — and when teams are forced to debug and remediate those issues later, the productivity benefits of AI quickly erode. Our research underscores this growing challenge as organizations scale AI-assisted development.

That's exactly what changes when you combine Kiro, AWS's agentic AI integrated development environment (IDE), with Sonatype Guide. Using the Model Context Protocol (MCP), this integration connects Kiro to real-time open source intelligence, so developers can move fast with AI while grounding every decision in trusted data.

The Challenge: AI Without Context Is Risky

Tools like Kiro are incredibly powerful. They help developers move faster by generating code, automating repetitive tasks, and accelerating everything from prototyping to production.

But like any AI coding assistant, Kiro is only as good as the information it can access.

Without the right context, AI can:

  • Suggest vulnerable or outdated dependencies.

  • Introduce license compliance risks.

  • Recommend components with known security issues.

The result is a growing gap between speed and safety. AI accelerates development, but without embedded intelligence and guardrails, it can just as easily scale risk — leaving teams to catch issues later in the SDLC when they're more costly to fix.

The Solution: Sonatype Guide as a Kiro Power

Sonatype Guide fills this gap by acting as a real-time source of trusted open source intelligence, embedded directly into the development workflow.

Kiro Powers (such as Sonatype Guide) are purpose-built integrations that extend Kiro's capabilities by connecting it to external systems and specialized sources of knowledge. Using MCP, Kiro can securely communicate with tools like Sonatype Guide — bringing authoritative, real-time open source intelligence directly into every AI-driven interaction.

With Guide integrated, Kiro gains access to:

  • Deep vulnerability intelligence.

  • License and compliance insights.

  • Package quality and health signals.

  • Curated recommendations for safer alternatives.

These insights are delivered inline, at the moment decisions are made, not after the fact.

Instead of relying solely on generic training data or static knowledge, Kiro can now query Sonatype's continuously updated understanding of the open source ecosystem in real time via MCP. The result is AI-generated code that isn't just faster to produce, but grounded in real-world security, policy, and quality considerations.

What This Looks Like in Practice

In a typical Kiro workflow, AI may suggest or introduce dependencies as it scaffolds, updates, or enhances an application. With Sonatype Guide connected through MCP, those components can be evaluated in real time before they become hidden risks.

Instead of accepting AI-generated dependency choices at face value, developers can see trusted intelligence directly in their workflow, including:

  • Known vulnerabilities and security risks.

  • License and policy considerations.

  • Package quality, maintenance, and overall health.

  • Safer alternatives when a component introduces risk.

This helps teams move from reactive remediation to proactive decision-making, identifying risk earlier while staying focused in Kiro.

To see how this workflow comes together, watch the demo below.

Why This Matters for Modern Development Teams

The combination of Kiro and Guide is not just about convenience. It's about fundamentally improving how teams build software.

Shift Security Left, Without Slowing Down

By embedding Guide directly into the AI workflow, security decisions happen at the moment code is generated, not later in the pipeline.

Reduce Risk from AI-Generated Code

AI can accelerate development, but it can also amplify risk. With Guide in the loop, every suggestion is backed by:

Keep Developers in Flow

Developers don’t need to switch tools or wait for downstream scans. The insights they need are delivered inline, in real time.

Standardize Best Practices Across Teams

By combining Kiro with Sonatype Guide, organizations can ensure that every developer — regardless of experience level — makes consistent, policy-aligned decisions.

A New Model for AI-Assisted Development

AI is more than a productivity tool. It's a decision-making partner. To be effective, it needs to be grounded in real-world intelligence.

By integrating Kiro and Sonatype Guide through MCP, AI-generated code is informed by continuously updated security, compliance, and quality insights at the moment it's created.

This approach:

  • Augments AI with trusted data sources.

  • Applies governance at the point of creation.

  • Aligns development speed with security and compliance.

The result is a development workflow where teams don't have to choose between moving fast and building securely. They can do both by default. See this in action by watching our full demo.

Tags

Open Source aws artificial intelligence Model Context Protocol AI sonatype intelligence Sonatype Guide