惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
大猫的无限游戏
大猫的无限游戏
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Jina AI
Jina AI
GbyAI
GbyAI
云风的 BLOG
云风的 BLOG
B
Blog RSS Feed
Last Week in AI
Last Week in AI
The Cloudflare Blog
V
Visual Studio Blog
P
Proofpoint News Feed
博客园 - 叶小钗
L
LangChain Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recorded Future
Recorded Future
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
罗磊的独立博客
雷峰网
雷峰网
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Announcements
Recent Announcements
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
宝玉的分享
宝玉的分享
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
IT之家
IT之家
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
aimingoo的专栏
aimingoo的专栏

Show HN

GitHub - steveking-gh/firmion: Firmion is DSL and engine for firmware image generation. GitHub - villagesql/villagesql-skills: Agent skills for VillageSQL - gemini-cli-extension; claude-code-plugin GitHub - flightdeckhq/flightdeck: Observability and control plane for AI agents. CSP Radar GitHub - Light-Heart-Labs/DreamServer: Turn your PC, Mac, or Linux box into an AI server. LLM inference, chat UI, voice, agents, workflows, RAG, and image generation. GitHub - Diplomat-ai/diplomat-agent-ts: What can your TypeScript AI agent do to the real world? Scan your code. See which tool calls have zero checks Code Block Selector - Visual Studio Marketplace Prometheus dependency graph — interactive showcase | Riftmap Show HN: I made a vi-like modal keyboard plugin for Figma GitHub - run-llama/liteparse: A fast, helpful, and open-source document parser GitHub - dalemyers/Roar: A macOS CLI tool for notifications GitHub - district-solutions/open-agent-tools-coder: Enables small-to-large self-hosted ai models to use local source code when running tool-calling agentic workloads. We actively data mine 20,900+ (2+ TB) popular github repos using large and small ai models to create reuseable: json, markdown and parquet files for local-first tool-calling models. GitHub - progapandist/stripeek: A local TUI proxy for real-time Stripe API debugging, built for navigating complex payloads fast. GitHub - sir1st/hermes-desktop: All-in-one cross-platform desktop app for Hermes Agent — bundles Python + hermes-agent + hermes-web-ui GitHub - astefanutti/shaderbang: Shebang for Shaders Show HN: Generate Claude Code Workflows using Spec Driven Development approach GitHub - nixys/nxs-universal-chart: The Helm chart you can use to install any of your applications into Kubernetes/OpenShift Show HN: AI agents for UK GDAD PCF roles and their skills The Two Pillars: Mixer Mode and Meta-Software in the Reorganization of Software Work After AI GitHub - JaiCode08/teleport-env What 1,000+ Harness Experiments Taught Me About Self-Improving Agents Show HN: Liiists, a Markdown-first, iOS and CLI list app SwiperTab – Get this Extension for 🦊 Firefox (en-US) GitHub - kouhxp/fftext: Summarize, explain, fact-check, or translate any text, URL, or file. No GPU. No cloud. One command GitHub - sweetpad-dev/sweetpad: Develop Swift/iOS projects using VSCode GitHub - dogmaticdev/IRON: IRON a.k.a. Intermediate Representation Object Notation is a Interpreter/Database that is used to create Programming Languages. GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets. Show HN: Gandalf the Grader Show HN: Citadeld – replay any CI failure locally from a single file GitHub - tdortman/cuSBF: High-Performance GPU Super Bloom Filter coral-ai/claude-code-token-xray at main · Coral-Bricks-AI/coral-ai GitHub - ulyssestenn/funes: Funes is a Git-based framework for LLM-managed knowledge work: an AI Librarian ingests raw sources, builds an interlinked Markdown knowledge base, and uses it to produce cited reports, analyses, and other outputs. GitHub - ThatXliner/gah: Git Add Hunk, built for agents to use GitHub - harmont-dev/harmont-cli: Command-line client for the Harmont CI platform GitHub - brooksmcmillin/mcp-authflow: OAuth 2.0 Authorization Server framework for MCP servers GitHub - javaid-codes/audit-supply-chain-agents GitHub - amorey/gochan: A small library of common channel architectures for Go, inspired by Rust GitHub - arifozgun/OpenGem: Free, Open-Source AI API Gateway with Gemini, OpenAI & Anthropic Compatibility in 1 file GitHub - Pranesh950/BioPetals: 🌸 Run BIOxAI models at home, BitTorrent-style. Fine-tuning and inference up to 10x faster than offloading GitHub - cnguyen14/bounty-doctor: Diagnose a GitHub bounty issue before you waste hours: detects honeypot scam repos, AI-bot attempt swarms, and stale contests. Show HN: CoreMCP – MCP Server for On-Prem DBs Show HN: KittyHTML – Render HTML/CSS as an inline image in your terminal GitHub - bingud/filemat: Web-based file manager Show HN: TruthLens – Free multi-signal deepfake image detector GitHub - apexlocal-jz/claude-usage-tray: Windows system-tray app showing your Claude Code rate-limit usage at a glance. Zero deps, ~300 lines of PowerShell. Cross-IDE (works regardless of VS Code, Cursor, plain terminal). Release v0.1.2.1 · kouhxp/yapsnap GitHub - noopolis/moltnet: Self-hostable chat network for AI agents. Pre-built bridges for Claude Code, Codex, and the Claws. Rooms, DMs, history. No Slack bots, no Matrix, no glue code. GitHub - tamerh/enju: Coordinating Humans, AI Agents, and Compute as Peers on a Shared Workflow Graph Show HN: Continuity-auth – Respect-weighted rate limits for the open web GitHub - luml-ai/luml: AI lifecycle platform where engineers and agents track experiments, train models, and ship to production. GitHub - mrdanielcasper/CoreTex: A UNIX-inspired, biomimetic, flat-file AI harness and knowledge engine. GitHub - clemg/pierre-github: Pierre's diffs.com and trees.software for Github GitHub - lyriks-io/unspaghettit: Behavior-driven AI development without prompt spaghetti. GitHub - sofumel/claude-handoff-revive: Resume Claude Code work after rate/usage/context limits without replaying the prior transcript. Auto-saves at 90%/95% usage. Plugin-installable, 10 languages. GitHub - dotexorg/saferpc: Typed, end-to-end encrypted RPC over any bidirectional channel. GitHub - BeeZeeAgent/beezee: Agent harness orchestration Legato Next.js Boilerplate for Internal Tools · CoreUI GitHub - clark-labs-inc/clark-hash: Clark Hash, 32x smaller searchable sketches for embeddings GitHub - ZeroPointRepo/youtube-mcp: The fastest YouTube transcript + YouTube search MCP for AI agents. Try for free. Typing Mastery — climb toward 100+ WPM, deliberately GitHub - Andebugulin/Awareen GitHub - fayzan123/claude-workflow-composer: Visual desktop app for composing multi-agent coding workflows. Drag agents, attach skills and MCPs, wire handoffs, export to .claude/ GitHub - harshaneel/humanize: Best static AI text humanizer. Two research-grounded skills that work in any LLM (Claude, ChatGPT, Gemini, Codex): humanize beats perplexity-based detectors, ai-check produces forensic scoring with evidence-quoted flags. Nine levers, 50+ peer-reviewed sources, 2024-2026 detection literature. GitHub - StackOneHQ/stack-nudge GitHub - nodes-app/swift-markdown-engine: A native AppKit Markdown editor for macOS, built on TextKit 2 and bridged to SwiftUI. We hardened an LLM agent. Each defense we added made it more exploitable. GitHub - alkait/WhatsKept: Agent-queryable WhatsApp history from an iOS backup — a single Go binary. GitHub - octelium/cordium: Open-source, general-purpose sandbox platform for devs and AI agents that provides identity-based secure access to infrastructure without credentials. WAR.GOV/UFO Microfilm5 GitHub - scosman/videowright: Build animated explainer videos with your coding agent GitHub - dipankar/dscode: The code editor you can take apart. GitHub - zoharbabin/web-researcher-mcp: MCP server (Go) for AI assistants: web search, content extraction, academic/patent/news research. Multi-provider routing, 4-tier scraping, search lenses. Works with Claude, Cursor, and any MCP client. GitHub - ruvnet/RuView: π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video. GitHub - scanaislop/aislop: Catch the slop AI coding agents leave in your code: narrative comments, swallowed exceptions, as-any casts, dead code, oversized functions. 50+ rules across 7 languages (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP). Sub-second, deterministic, no LLM at runtime. MIT-licensed. GitHub - kouhxp/cheap-im: CPU-only voice agent approximating Thinking Machines' Interaction Models demo GitHub - unprovable/OrchidMantis: Orchid Mantis — standalone framework for Zero-Knowledge Proofs of eXploit (ZKPoX). GitHub - MarcellM01/TinySearch: Shrink the web for your local LLMs! GitHub - TangibleResearch/Halgorithem: A Algo designed to detect AI Hallucitions GitHub - DO-SAY-GO/freelang: I love freelang GitHub - CarpseDeam/Aura-IDE: An AI coding harness that shaped itself - Planner/Worker agents, repo awareness, surgical edits, validation, recovery, and safe diff approvals. GitHub - chojs23/concord: A feature-rich TUI client for Discord GitHub - tommyjepsen/awesome-ux-skills: UX & AI Product designs skills you can use today in Claude Code GitHub - aerf-spec/aerf: Agent Evidence Receipt Format (AERF) — an open specification for tamper-evident, independently verifiable records of AI agent actions. GitHub - kklimuk/docx-cli: CLI for AI agents (Claude, Codex) to read, edit, and comment on .docx files with full format fidelity. GitHub - Jwrede/tokentoll: Catch LLM cost changes in code review. Infracost for LLM spend. GitHub - samchon/ttsc: A `typescript-go` toolchain for compiler-powered plugins and type-safe execution + 500x faster lint integrated into compiler GitHub - Higangssh/homebutler: 🏠 Manage your homelab from chat. Single binary, zero dependencies. GitHub - olalie/tapmap: See where your computer connects and what stands out on a live world map. GitHub - Diplomat-ai/diplomat-agent: What can your AI agent do to the real world? Scan your code. See which tool calls have zero checks GitHub - Bajusz15/beacon: Open-source agent for secure remote access, monitoring, and deploys across home-lab and self-hosted machines like Raspberry Pi, N100, or any Linux server. Open web based TTY or tunnel Home Assistant and other local services securely without opening ports. BigTech AI News - Chrome 应用商店 GitHub - vinhnx/VTCode: VT Code is an open-source coding agent with LLM-native code understanding and robust shell safety. Supports multiple LLM providers with automatic failover and efficient context management. GitHub - michaelaz774/decision-engine: A decision operating system for startup founders, powered by Claude Code. Synthesizes wisdom from 25+ legendary founders and investors into interactive AI-driven decision frameworks. GitHub - Chrilleweb/dotenv-diff: Validate environment variable usage in your codebase GitHub - Lumen-Labs/brainapi2: BrainAPI is a knowledge graph–powered AI memory layer that transforms unstructured data into structured knowledge, enabling intelligent search, recommendations, and contextual memory for AI agents and applications. GitHub - familiar-software/familiar: Let AI watch you work. Familiar lets your AI update its memory, skills, and knowledge by watching your screen. GitHub - skorotkiewicz/rudo: A small, elegant dock for Wayland GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. make sidebar/address bar rounded corner toggleable
The Visibility Problem Behind AI Tool Adoption in Engineering Teams
Carina de Gouveia · 2026-06-18 · via Show HN

Executives are asking engineering teams to accelerate AI adoption. Most engineering leaders, though, cannot answer a basic question: which AI coding assistants are actually in use across our repositories right now?

The gap is the lack of a reliable inventory. This article covers why visibility is the first governance challenge, what repository-level scanning reveals about real adoption patterns, and how to operationalize AI tool tracking without blocking the tools developers rely on.

In this article:

  • Why visibility into AI tools is the first governance challenge
  • What shadow AI looks like in engineering workflows
  • How widespread is AI tool usage across development teams
  • What repository-level scanning reveals about AI adoption
  • Why existing governance approaches miss AI tool usage
  • How AI tool sprawl affects code quality and security
  • What an AI inventory captures across repositories
  • How to operationalize AI visibility for engineering teams
  • What metrics help leaders report on AI adoption
  • Common mistakes when tracking AI tool usage

Why visibility into AI tools is the first governance challenge

To gain visibility into AI tools used by engineering teams, you can combine quantitative tracking of AI-assisted coding with qualitative developer feedback. Unmonitored AI usage is common, so specialized analytics help track tool usage, security posture, and productivity impact. The challenge, though, is that most engineering leaders cannot answer a straightforward question: which AI coding assistants are active across our repositories right now?

The contradiction is that boards and executives are pushing teams to adopt AI to improve delivery speed. At the same time, leadership often lacks a reliable inventory of which tools developers actually use. The reporting gap widens as AI adoption accelerates.

The visibility problem is not about whether AI is being used, but rather about whether leadership has an auditable view of AI usage across the engineering organization.

What shadow AI looks like in engineering workflows

Shadow AI in software development goes beyond employees using random chatbots. In engineering contexts, shadow AI includes a range of tools and artifacts that often bypass centralized IT or security visibility.

Here are common forms of shadow AI in development workflows:

  • AI coding assistants in IDEs: Extensions like GitHub Copilot, Cursor, or Claude Code installed locally in developer environments
  • CLI-based agents: Command-line tools that generate or modify code outside of managed SaaS platforms
  • AI review tools: Third-party services that analyze pull requests or suggest changes
  • Prompt files and generated config: Workflow artifacts, prompt templates, or AI-generated configuration files committed to repositories
  • Personal account access: Developers using personal subscriptions to tools that are not visible to IT or security teams

How widespread is AI tool usage across development teams

AI coding tools have moved well beyond pilot programs. A significant share of developers now use AI assistants daily, and AI-assisted code represents a growing portion of code creation across organizations.

Several patterns are worth noting. Many developers access AI tools through personal accounts, including personal ChatGPT or Claude subscriptions. The average development team uses multiple AI tools simultaneously, often without centralized tracking. GitHub Copilot, ChatGPT, and Claude are common across development workflows, though adoption varies by team and project.

Exact figures depend on survey methodology, company size, and how "AI-assisted" is defined. The direction, however, is clear: AI use has moved beyond experimentation into everyday development practice.

What repository-level scanning reveals about AI adoption

Surveys and procurement data tell part of the story. Repository-level scanning tells another. When you analyze what is actually committed to codebases, a different picture emerges.

Recently, we scanned over 6,700 repositories across more than 800 organizations and detected 27 different coding assistants. Claude Code appeared most frequently by a wide margin, followed by Cursor and Microsoft Copilot. The long tail included Codex, Windsurf, Augment Code, JetBrains Junie, and more than 20 other tools. 

On the surface, 27 assistants suggests tool sprawl. At the organization level, though, the average org showed traces of only two coding assistants. Most companies do not have chaos everywhere. They have limited but often unmeasured AI adoption.

The visibility problem is not only "too many tools." It is that leaders do not know which tools are present, where they appear, or how usage differs by repository.

Why existing governance approaches miss AI tool usage

Governance policies often live in places that do not observe actual developer behavior. Security questionnaires, procurement approvals, acceptable-use policies, SSO tool lists, and manual team self-reporting all capture intent. They rarely capture reality.

Here is where governance controls miss common engineering paths:

  • Personal accounts: Developers using personal subscriptions that bypass enterprise SSO
  • IDE extensions: Locally installed extensions that do not appear in SaaS management tools
  • CLI agents: Command-line tools used outside centrally managed platforms
  • Repository artifacts: Generated files, prompts, workflows, or tool traces committed into codebases

Even organizations with governance and security validation policies may still have developers using Cursor, Claude, and other tools in parallel. Developer adoption pressure is real: engineers choose tools that help them move faster.

Policies define intent. Inventories reveal reality.

How AI tool sprawl affects code quality and security

AI-generated or AI-assisted code changes the scale and review model for engineering teams. More code can be produced faster. Review depth may decrease when reviewers assume generated code is correct. Similar patterns may be replicated across repositories quickly.

Security and quality risks include:

  • Vulnerable code patterns: Generated suggestions that introduce known vulnerability patterns. Veracode’s 2025 research found that only 55% of AI-generated code samples were free of the security flaws evaluated in its benchmark, meaning 45% contained at least one tested vulnerability.
  • Insecure dependency recommendations: AI tools suggesting outdated or vulnerable libraries
  • Secrets exposure: Sensitive context pasted into unmanaged tools or committed to repositories
  • Generated tests with incorrect assertions: Tests that pass but assert the wrong behavior
  • Compliance gaps: AI usage that cannot be evidenced or explained during audits

Inventory is not a substitute for SAST, SCA, secrets detection, or policy checks. It is the visibility layer that tells leaders where AI code governance applies.

There is also a procurement angle. If most developers already use a particular tool, it may be worth upgrading to an enterprise plan and managing it centrally rather than allowing fragmented personal usage.

What AI Inventory captures across repositories

Codacy's AI Inventory is a repository-level view of AI assets, tools, workflows, and signals found across codebases. It turns scattered repository evidence into a view engineering leaders can act on.

A useful inventory typically captures:

Dimension What it reveals
AI tools detected Which coding assistants appear across repositories    Copilot, Claude Code, Cursor, Windsurf)

AI models called

Which AI models and providers are referenced across repositories (GPT-4o, Claude Sonnet, Gemini, OpenAI SDK, Anthropic SDK, etc.)

Repository distribution Where each tool appears and how usage varies
Configuration and workflow files AI-related config, prompt templates, or agent definitions
Policy compliance status Whether detected tools align with approved lists

AI-related issues

Security or quality findings in repositories with AI usage
Risk assessment summary Aggregated view of exposure by repository or team

The goal is to provide enough visibility that leaders can compare detected usage against policy and decide where enforcement applies.

How to operationalize AI visibility for engineering teams

Visibility without action is just reporting. The practical value of AI Inventory comes from connecting it to enforcement and decision-making.

A reasonable approach follows this sequence:

  1. Scan repositories to establish a baseline of AI tool and workflow traces
  2. Compare detected usage against approved tools and policies
  3. Segment repositories by risk: production-critical, regulated, customer-facing, internal, experimental
  4. Align enforcement with repository risk level, applying AI guardrails for high-risk repositories
  5. Add or tighten checks for SAST, SCA, secrets detection, and license compliance where AI usage is present
  6. Track changes over time to see whether adoption is expanding or concentrating
  7. Report trends to leadership in operational language: tools detected, repos affected, policy gaps, remediation progress

AI tool usage changes quickly. Inventory is not a one-time audit. It works best when continuous or regularly refreshed.

What metrics help leaders report on AI adoption

When executives or board members ask about AI adoption, vague answers erode confidence. Specific metrics convert adoption claims into evidence.

Useful leadership metrics include:

  • Number of AI coding assistants detected across the organization
  • Number and percentage of repositories with AI tool traces
  • Top AI tools by repository presence
  • Repositories with unapproved AI tools or workflows
  • AI-related policy compliance status
  • Security findings in repositories with detected AI usage
  • Trend over time: new tools, new repositories, resolved policy gaps

Metrics like these help leaders report adoption without relying only on surveys or procurement data. They create a bridge between AI enablement and risk management.

Shadow AI Exists everywhere in the development ecosystem

Common mistakes when tracking AI tool usage

Several patterns undermine AI visibility efforts. Recognizing them early helps avoid wasted effort.

  • Relying only on sanctioned-tool lists: Developers may use personal accounts, local extensions, or CLI tools that never appear in approved lists
  • Treating AI governance as only a legal or procurement issue: In engineering, governance connects to repositories and pull requests
  • Blocking tools without offering approved alternatives: Developers will route around controls if controls slow delivery without reducing risk
  • Measuring adoption only by license count: Licenses show what was bought, not necessarily what influenced code
  • Assuming low incident volume means low risk: Lack of findings may reflect lack of visibility, not absence of exposure

The goal is to create a managed adoption model where leaders know which tools are in use, understand where they appear, define acceptable use by risk level, enforce security and quality checks consistently, and produce evidence for leadership and compliance.

AI adoption has already reached everyday development workflows. The immediate leadership gap is visibility. Leaders cannot credibly report AI adoption or manage AI risk without knowing what is actually being used.

The practical path forward starts with AI inventory across repositories. Use it to align policy, enforcement, and reporting. Then connect it to existing code quality and security controls that already protect the delivery pipeline.

Turn AI adoption into something you can measure

Codacy's AI Inventory provides a repository-level view of AI tools, workflows, and related artifacts, helping engineering leaders track usage, identify policy gaps, and improve visibility across development teams.

Scan your repository for free →