惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

2024 Sonatype Blog

Open Source, Open Infrastructure, and the Space Between Request for Comments: CARE and Maven Central Q2 2026 Open Source Malware Index AI Is Forcing a New Open Source Security Model Vulnerability Prioritization Is Missing the AI-Era Point The Hidden National Security Threat Inside AI-Driven Software Miasma Returns: Leo Platform Compromise in npm The Rise of Collective Defense for Open Source Signal Over Noise: Reachability Analysis Is the Reality Check SCA Has Been Missing Software Security Has to Start at Assembly easy-day-js Targets Mastra, Dependency Attacks Grow Open Publishing, Commercial Scale Software Dependency Cooldowns Are a Symptom, Not a Strategy Atomic Arch npm Campaign Adds Malicious Dependency From SBOMs to AI BOMs: Why SPDX 3.0 Matters Mythos Found 10,000 Vulnerabilities. The Bigger Challenge Is Fixing Them New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages Lazarus Group's Latest: Brandjacking Campaign on npm 5 Steps to Turn Your RMF Backlog Into a Continuous ATO: The CSRMC Migration Playbook The AI Race Is Becoming a Remediation Race Red Hat Cloud Services npm Packages Hijacked Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies AI Is Making Software Autonomous, and Governance Must Follow Your Outdated Repository Still Works, But It May Not Be Safe Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT AppSec Tools Explained: SAST vs SCA vs DAST | Sonatype Managing Open Source Software Risks With the HeroDevs EOL Dashboard Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target How to Build a Software Supply Chain Security Playbook The Evolution of Open Source Malware: From Volume to Trust Abuse The Mythos AI Vulnerability Storm: What to Do Next Malicious PyTorch Lightning Packages Found on PyPI Why Developer Experience Is the Foundation of DevSecOps Success Open is Not Costless: Reclaiming Sustainable Infrastructure Q1 Updates in Nexus Repository: More Formats, Stronger Operations, and a Better Day-to-Day Experience Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths The Time Is Now to Prepare for CRA Enforcement Sonatype Innovate: Real Peer Connections, Real Product Influence, Real Recognition Mythos and the AI Vulnerability Storm: Exploring the Control Point When AI Writes Code, Who Governs the Dependencies? Why Software Supply Chain Security Requires a New Playbook Q1 2026 Open Source Malware Index: Adaptive Attacks Exploit Trust Modernizing Nexus Repository: Moving Beyond OrientDB AI, DevSecOps, and the Future of Application Security: The Gartner® Report How Sonatype's Container Scanning Protects You From Zero-Days Axios Compromise on npm Introduces Hidden Malicious Package Is Your Repository Ready for What's Next? Autonomous Development and AI: Speed vs. Security Grounded Intelligence Ensures Safe AI Software Development Compromised litellm PyPI Package Delivers Multi-Stage Credential Stealer Golden Pull Requests: Automating Trusted Remediation Without Breaking Builds Sonatype Discovers Two Malicious npm Packages
Building Trusted AI Development With Kiro and Sonatype Guide
Aaron Linskens · 2026-05-18 · via 2024 Sonatype Blog

AI-powered development tools accelerate the production of software. But they also introduce a familiar challenge: how do you ensure that what's generated is secure, compliant, and trustworthy?

The answer lies in context. AI-generated code is only as reliable as the data and intelligence behind it. Without the right context from AI code security tools, development speed can quickly turn into risk.

Vulnerable dependencies, license issues, and low-quality components can enter the software supply chain faster than ever — and when teams are forced to debug and remediate those issues later, the productivity benefits of AI quickly erode. Our research underscores this growing challenge as organizations scale AI-assisted development.

That's exactly what changes when you combine Kiro, AWS's agentic AI integrated development environment (IDE), with Sonatype Guide. Using the Model Context Protocol (MCP), this integration connects Kiro to real-time open source intelligence, so developers can move fast with AI while grounding every decision in trusted data.

The Challenge: AI Without Context Is Risky

Tools like Kiro are incredibly powerful. They help developers move faster by generating code, automating repetitive tasks, and accelerating everything from prototyping to production.

But like any AI coding assistant, Kiro is only as good as the information it can access.

Without the right context, AI can:

  • Suggest vulnerable or outdated dependencies.

  • Introduce license compliance risks.

  • Recommend components with known security issues.

The result is a growing gap between speed and safety. AI accelerates development, but without embedded intelligence and guardrails, it can just as easily scale risk — leaving teams to catch issues later in the SDLC when they're more costly to fix.

The Solution: Sonatype Guide as a Kiro Power

Sonatype Guide fills this gap by acting as a real-time source of trusted open source intelligence, embedded directly into the development workflow.

Kiro Powers (such as Sonatype Guide) are purpose-built integrations that extend Kiro's capabilities by connecting it to external systems and specialized sources of knowledge. Using MCP, Kiro can securely communicate with tools like Sonatype Guide — bringing authoritative, real-time open source intelligence directly into every AI-driven interaction.

With Guide integrated, Kiro gains access to:

  • Deep vulnerability intelligence.

  • License and compliance insights.

  • Package quality and health signals.

  • Curated recommendations for safer alternatives.

These insights are delivered inline, at the moment decisions are made, not after the fact.

Instead of relying solely on generic training data or static knowledge, Kiro can now query Sonatype's continuously updated understanding of the open source ecosystem in real time via MCP. The result is AI-generated code that isn't just faster to produce, but grounded in real-world security, policy, and quality considerations.

What This Looks Like in Practice

In a typical Kiro workflow, AI may suggest or introduce dependencies as it scaffolds, updates, or enhances an application. With Sonatype Guide connected through MCP, those components can be evaluated in real time before they become hidden risks.

Instead of accepting AI-generated dependency choices at face value, developers can see trusted intelligence directly in their workflow, including:

  • Known vulnerabilities and security risks.

  • License and policy considerations.

  • Package quality, maintenance, and overall health.

  • Safer alternatives when a component introduces risk.

This helps teams move from reactive remediation to proactive decision-making, identifying risk earlier while staying focused in Kiro.

To see how this workflow comes together, watch the demo below.

Why This Matters for Modern Development Teams

The combination of Kiro and Guide is not just about convenience. It's about fundamentally improving how teams build software.

Shift Security Left, Without Slowing Down

By embedding Guide directly into the AI workflow, security decisions happen at the moment code is generated, not later in the pipeline.

Reduce Risk from AI-Generated Code

AI can accelerate development, but it can also amplify risk. With Guide in the loop, every suggestion is backed by:

Keep Developers in Flow

Developers don’t need to switch tools or wait for downstream scans. The insights they need are delivered inline, in real time.

Standardize Best Practices Across Teams

By combining Kiro with Sonatype Guide, organizations can ensure that every developer — regardless of experience level — makes consistent, policy-aligned decisions.

A New Model for AI-Assisted Development

AI is more than a productivity tool. It's a decision-making partner. To be effective, it needs to be grounded in real-world intelligence.

By integrating Kiro and Sonatype Guide through MCP, AI-generated code is informed by continuously updated security, compliance, and quality insights at the moment it's created.

This approach:

  • Augments AI with trusted data sources.

  • Applies governance at the point of creation.

  • Aligns development speed with security and compliance.

The result is a development workflow where teams don't have to choose between moving fast and building securely. They can do both by default. See this in action by watching our full demo.

Tags

Open Source aws artificial intelligence Model Context Protocol AI sonatype intelligence Sonatype Guide