惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 聂微东
博客园 - 【当耐特】
Last Week in AI
Last Week in AI
量子位
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
B
Blog RSS Feed
V
V2EX
酷 壳 – CoolShell
酷 壳 – CoolShell
雷峰网
雷峰网
GbyAI
GbyAI
Jina AI
Jina AI
宝玉的分享
宝玉的分享
腾讯CDC
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
D
Docker
博客园_首页
N
News and Events Feed by Topic
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
F
Fortinet All Blogs
SecWiki News
SecWiki News
AI
AI
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
The Last Watchdog
The Last Watchdog
Martin Fowler
Martin Fowler
A
About on SuperTechFans
T
Troy Hunt's Blog
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Hacker News: Ask HN
Hacker News: Ask HN
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
I
InfoQ
S
Security @ Cisco Blogs
Project Zero
Project Zero
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
J
Java Code Geeks
N
News | PayPal Newsroom
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
H
Hacker News: Front Page

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target Building Trusted AI Development With Kiro and Sonatype Guide How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Software Security Has to Start at Assembly
Aaron Linskens · 2026-06-23 · via 2024 Sonatype Blog

For years, the software industry has told teams to shift security left. That was the right instinct. Finding issues earlier is better than finding them in production.

Sonatype was started nearly two decades ago around this premise. That is also why we are proud to share that we've been recognized as a Leader in the 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security.

But in a time of open source, AI-assisted development, and agentic workflows, even "left" is not early enough. Sonatype believes Mythos-era software supply chain security is not just about earlier scanning but assembly-time governance: applying intelligence, policy, and control at the moment software decisions are made.

Risk can enter before code is committed. Before a build runs. Before a scan has anything to inspect. It enters at selection time, when a developer, tool, or AI assistant chooses what software will be built from.

Enterprises need to secure software at the source, before risky components, malicious packages, or vulnerable AI-recommended dependencies enter the SDLC.

Where Does Software Supply Chain Risk Begin?

For years, application security focused on what happens after code is written: scan the application, find the issue, create a ticket, fix the finding, repeat.

That model still matters, but it does not address where much of today's risk actually begins.

Risk often enters before an application exists, when:

  • A developer selects a package.

  • A transitive dependency is introduced.

  • A build pulls an artifact from a repository.

  • A container is assembled.

  • An AI assistant recommends a library.

  • A model becomes part of an application workflow.

By the time a scanner finds the issue later in the pipeline, the organization may already be paying the cost of rework. Developers have moved on. Security teams are triaging. Release teams are waiting. Compliance teams are asking for evidence.

The answer is to move control closer to the decision itself and stop risky, malicious, or non-compliant components before they enter the workstream.

Why AI Turns Dependency Choice Into a Real-Time Problem

Every software supply chain is a chain of decisions: what to allow, what to block, what to trust, what meets policy, and what can be proven later.

At small scale, teams can manage those decisions manually. At enterprise scale, manual governance already breaks down. AI makes the problem faster.

A coding assistant can recommend an unfamiliar dependency in seconds. Generated code can introduce a vulnerable library. Agentic workflows can make or suggest choices across larger tasks. Models and dependencies introduce new questions about provenance, acceptable use, and risk.

The answer is not to slow AI adoption but to govern software decisions in real time, so developers and AI-assisted workflows can choose safer components before risk enters the SDLC.

Why Assembly-Time Security Depends on Intelligence

Security teams do not need more alerts. They need clearer answers at the moment a decision is made.

A CVE is only one part of the picture. Teams also need to know if a component is maintained, if it shows signs of malicious behavior, whether it fits policy, if there is a safer version, and if it belongs in a specific application at all.

Software supply chain decisions happen quickly. A package can be downloaded in seconds. An AI assistant can recommend a library instantly. A malicious component can spread before most teams know it exists.

This is where Sonatype is different.

As the steward of Maven Central, Sonatype has a unique view into how open source components are published, consumed, and used across modern development. That visibility helps inform how we detect malware, assess component reputation, understand dependency behavior, guide safer choices, and enforce policy.

This is not abstract threat intelligence sitting in a dashboard. It is intelligence that can shape decisions at the point of use: when a component is requested, when a developer needs an alternative, when an AI assistant suggests a dependency, or when a package should be blocked before it reaches the build.

The point is not to create more noise but to help teams make better decisions before risk becomes rework.

What Does Assembly-Time Governance Look Like in Practice?

Assembly-time governance means security controls show up where software is assembled, not only after the application is built.

That requires several capabilities working together:

  • Repository control to manage how components enter the organization.
  • Malware protection to block suspicious or malicious packages before use.
  • Dependency intelligence to guide safer open source decisions.
  • Developer guidance to reduce rework and improve adoption.
  • SBOM management to maintain visibility across the software lifecycle.
  • AI governance to support responsible use of AI-recommended dependencies, generated code, and models.

This is the role of Nexus One, a control plane for next-generation software development.

Nexus One brings together repository management, malware protection, dependency governance, SBOM management, developer guidance, and AI-era controls so organizations can govern software decisions across the SDLC.

That includes Nexus Repository for artifact and repository workflows, Firewall for blocking malicious and risky components, Lifecycle for governing open source risk and remediation, Guide for developer and AI-assisted package guidance, and SBOM Manager for managing SBOMs as living assets.

How Should Organizations Govern AI-Assisted Development?

AI is changing how software gets built and how quickly risk can enter the software supply chain.

The right response is not to block AI adoption but give developers, AI assistants, and automated workflows better guardrails.

Sonatype helps by applying policy and intelligence at the point of decision, including AI dependency management, Hugging Face and AI model governance, and guidance that helps teams choose safer components before risk enters the SDLC.

Sonatype Guide is a clear example of this shift. As AI changes how developers find, generate, and adopt code, Guide helps bring open source intelligence and guardrails into the development experience, so teams can move quickly without turning AI-generated code into security rework.

This is the practical side of AI governance: real-time guidance where software decisions are made.

What Does It Mean to Ship Next-Generation Software With Confidence?

For modern teams, confidence is not just knowing what is in an application after it is built. It is knowing what was allowed in, what was blocked, what was approved, what changed, and what can be proven later.

That is becoming harder as software development becomes faster, more automated, and more AI-assisted. Organizations now have to govern:

  • Open source components that continue to power enterprise software.

  • Malware that increasingly targets developers and dependency ecosystems.

  • SBOMs that are becoming operational requirements.

  • AI-recommended dependencies, models, and generated code.

  • Automated workflows that make software decisions faster than manual review can keep up.

Software supply chain security has to move from after-the-fact inspection to real-time governance.

We are proud to be recognized as a Leader in the Gartner® Magic Quadrant™ for Software Supply Chain Security. We believe this recognition reflects where the market is going: toward securing software at the source, where software decisions are made.

Download the Gartner Magic Quadrant for Software Supply Chain Security to learn why Sonatype was recognized as a Leader.

Tags

secure software supply chain Software Supply Chain shift left dependencies Open Source Gartner risk Gartner Magic Quadrant AI