Snyk Launches New Security Tool to Govern AI-Powered Coding Agents
Snyk Unveils Evo ADS to Secure AI-Powered Coding Agents
Related Entities
Organizations
Products & Tech
Full Report
Executive Summary
As the software development lifecycle is transformed by autonomous AI agents, Snyk Ltd. has launched a new security solution to address the emerging risks. On June 23, 2026, the company announced Evo Agentic Development Security (Evo ADS), a platform layer specifically designed to monitor, govern, and secure the actions of AI coding agents. These agents can operate with minimal human supervision, introducing a new attack surface that traditional application security (AppSec) tools are not equipped to handle. Evo ADS provides visibility and control over the entire agentic workflow, from the tools the AI calls to the code it generates, mitigating risks like prompt injection and the use of malicious dependencies.
Threat Overview
The rise of agentic AI in software development creates a new paradigm for security. Unlike human developers, these AI agents can autonomously perform complex tasks, including:
- Calling external tools and APIs.
- Connecting to internal systems via Model Context Protocol (MCP) servers.
- Independently selecting and integrating third-party libraries and dependencies.
This creates several new risks that Snyk's research has highlighted:
- Poisoned Tools: An attacker could create a malicious tool (e.g., a fake security scanner) that an AI agent might call, leading to a backdoor being injected into the codebase.
- Prompt Injection in Dependencies: Malicious prompts could be hidden within the documentation or code of a third-party library. When an AI agent consumes this dependency, the prompt could trigger it to perform malicious actions.
- Insecure MCP Servers: Snyk found that 1 in 12 MCP servers (which provide context to AI agents) had high or critical security findings, creating a potential entry point into the development environment.
Traditional SAST/SCA scanners that only analyze code post-commit miss the runtime behavior of the agent itself, leaving a significant visibility gap.
Technical Analysis
Snyk's Evo ADS is designed to secure the entire agentic development toolchain. It functions as a governance layer that sits between the developer, the AI agent, and the development environment.
Its core capabilities include:
- Tool Vetting: Evo ADS vets the external tools and APIs that an AI agent is permitted to call, preventing it from interacting with known-malicious or untrusted services.
- Runtime Monitoring: The platform monitors the agent's actions in real-time as it builds software. It can detect and block suspicious behavior, such as an agent attempting to access sensitive files or exfiltrate data.
- Code Scanning: As the agent generates code, Evo ADS scans it for vulnerabilities, insecure coding practices, and malicious logic before it is committed to the repository.
- Dependency Analysis: The tool analyzes the third-party dependencies that the agent pulls in, checking for known vulnerabilities and potential for attacks like prompt injection.
This approach shifts security 'left' into the pre-build phase, providing guardrails for AI agents rather than just cleaning up the code they produce.
Impact Assessment
The adoption of AI agents without proper governance poses a significant supply chain risk. A single compromised agent or tool could inject vulnerabilities or backdoors into countless software projects across an organization, leading to widespread breaches. The speed and scale of AI development mean that a single malicious component could propagate rapidly.
By providing a framework for governing these agents, tools like Evo ADS aim to enable organizations to leverage the productivity gains of AI development safely. For businesses, this means reducing the risk of AI-induced security debt and preventing a new class of sophisticated supply chain attacks. The impact on developers is a safer environment where they can confidently use AI agents without having to manually vet every action they take.
Detection & Response
- Agent Auditing: Organizations using AI agents should maintain detailed audit logs of all agent activities, including tools called, files accessed, and code generated.
- Behavioral Analysis: Monitor the behavior of AI agents for anomalies. For example, an agent that normally only writes code suddenly attempting to make network connections to an unknown host would be highly suspicious.
Mitigation
- Agent Governance: Implement a formal governance policy for the use of AI agents in development. This should define which agents are approved, what tools they can use, and what data they can access.
- Secure the Toolchain: Secure all components of the AI development toolchain, including the MCP servers, vector databases, and external APIs that agents rely on.
- Least Privilege for Agents: Apply the principle of least privilege to AI agents. They should only have the permissions necessary to perform their specific task and should not have broad access to the network or file system.
- Human-in-the-Loop: For critical applications, maintain a human-in-the-loop review process to approve code generated by AI agents before it is deployed to production.
Timeline of Events
MITRE ATT&CK Mitigations
Code Signing
Ensuring that all development tools and dependencies are properly signed can help prevent the use of poisoned or malicious components.
Running AI agents in a sandboxed environment with restricted permissions can limit the damage they can cause if compromised.
Threat Intelligence Program
Subscribing to threat intelligence on vulnerable or malicious open-source packages is critical for securing the software supply chain.
D3FEND Defensive Countermeasures
To secure agentic AI development, security cannot be an afterthought. Dynamic analysis, as implemented by tools like Snyk's Evo ADS, is crucial. This involves running the AI agent in a controlled, instrumented environment to observe its behavior in real-time. Security teams should configure policies to monitor and block dangerous actions, such as attempts to access sensitive files (/etc/passwd, .env files), make outbound network connections to untrusted destinations, or execute system commands. This runtime governance provides a safety net, allowing developers to leverage AI agents while ensuring they operate within predefined security boundaries.
A key risk of AI agents is their ability to call external tools. A defense-in-depth strategy is to create an 'allowlist' of approved tools and executables that agents are permitted to use. This can be enforced within the agent's operating environment (e.g., a container) or through a governance platform. By default, the agent should be blocked from executing any command or calling any API that is not on this explicit allowlist. This prevents a compromised agent from, for example, downloading and running a malicious binary or interacting with a poisoned, unvetted security scanner. It enforces the principle of least privilege on the agent's capabilities.
AI agents will frequently pull in open-source dependencies to fulfill their tasks. It is vital to have continuous Software Composition Analysis (SCA) integrated into the agentic workflow. Before an agent's generated code is even committed, an SCA scan should be triggered to analyze all new dependencies for known vulnerabilities (CVEs). This prevents the agent from introducing security debt into the codebase. Advanced SCA tools can also analyze license compliance and, in the context of AI, could potentially be extended to scan for suspicious patterns within dependencies that might indicate a prompt injection attack.
Timeline of Events
Snyk announces the launch of its Evo Agentic Development Security (Evo ADS) platform.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.