Safeguard
Industry Analysis

Inside the Agentic Development Supply Chain Report

Safeguard's research team analyzed 42,000+ repositories with agentic commit activity, finding new dependency, MCP server, and SBOM gaps introduced by AI coding agents.

Safeguard Research Team
Research
7 min read

SAN FRANCISCO — July 6, 2026. In the eleven months since GitHub's Copilot Workspace and a wave of autonomous coding agents moved from demo to default, the software supply chain has quietly acquired a new class of committer: the agent itself. Safeguard's research team spent the first half of 2026 instrumenting telemetry across managed customer environments, public registries, and a sample of over 42,000 repositories with agentic commit activity to answer a simple question — when AI agents write, review, and merge code with minimal human friction, what actually enters the supply chain? The resulting analysis, which we're calling the Agentic Development Supply Chain Report, surfaces a pattern security teams have suspected but rarely quantified: agent-authored changes introduce new dependencies at roughly 3.4x the rate of human-authored commits, and nearly one in six of those dependencies had no corresponding entry in the project's existing SBOM at merge time.

This isn't a story about AI models writing insecure code line-by-line — static analysis and secure-coding guardrails have made real progress there. It's a story about provenance. Agentic development doesn't just change who writes code; it changes how packages, tools, and third-party services get pulled into a build, often through channels that predate any human review gate.

The Machine Committer Problem

Across the sampled repositories, commits attributable to autonomous or semi-autonomous coding agents (via bot accounts, CI-triggered agent runs, or IDE-integrated agent sessions) rose from an estimated 4% of total commit volume in Q3 2025 to just over 19% by the end of Q2 2026. That growth curve matters less than what accompanies it: agent sessions in our sample resolved an average of 2.1 new external dependencies per non-trivial task, compared to 0.6 for equivalent human-authored pull requests. Agents, when asked to "add rate limiting" or "parse this file format," default to reaching for a package rather than writing the logic — a rational choice for an agent optimizing for task completion, and a risky one for anyone trying to maintain a clean dependency graph.

The report also found that agent-introduced dependencies skew newer and less-vetted. 28% of packages pulled in by agentic commits had been published to their registry (npm, PyPI, crates.io, or RubyGems) within the prior 90 days — more than double the rate for human-introduced dependencies in the same repositories. Newly published packages are, unsurprisingly, where typosquatting, slopsquatting, and dependency-confusion attacks concentrate, because they haven't yet accumulated the download history and community scrutiny that make an established package a harder target.

MCP Servers: A New, Mostly Invisible Attack Surface

The single fastest-growing category in the dataset wasn't a package ecosystem at all — it was Model Context Protocol (MCP) servers. Since MCP's broad adoption across coding assistants in late 2025, organizations in our sample went from near-zero MCP server usage to a median of 6 distinct MCP servers connected per engineering team by June 2026, spanning file-system access, database querying, ticketing integrations, and browser automation.

MCP servers occupy an unusual position in the supply chain: they're not a dependency declared in a manifest file, not a container pulled from a registry, and not always reviewed by anyone resembling a security function. They are, functionally, third-party code with standing access to a developer's local environment, credentials, and often production data — installed by a developer in minutes, frequently from a GitHub repo with no signed releases, no SBOM, and no vulnerability disclosure process. Safeguard's telemetry found that 61% of MCP servers in active use across sampled organizations had never been scanned by any security tooling, and 22% requested filesystem or shell-execution scopes broader than their stated function required.

Lockfile Drift and the SBOM Gap

Perhaps the most operationally significant finding: agent-driven development is widening the gap between what a lockfile says and what actually ships. Because many agentic workflows install packages directly inside ephemeral sandboxes or containerized dev environments to "test something quickly," and because agents are optimized to satisfy the immediate task rather than maintain long-term repo hygiene, the report identified lockfile drift — dependencies present in a running build but absent or mismatched in the committed lockfile — in 34% of agent-touched repositories, versus 9% in repositories without agentic commit activity.

This drift is exactly the condition that makes software bills of materials stale on arrival. An SBOM generated at release time, if it isn't continuously reconciled against what agents actually pulled in during development, captures an approximation of the software rather than the software itself. Combined with the MCP visibility gap above, security teams are increasingly facing a supply chain where a meaningful share of what ships was never formally declared anywhere a scanner would look.

Secrets Exposure in Agent Tooling

A smaller but sharper finding involves credentials. Agents frequently need API keys, database URLs, and service tokens to complete tasks — and the report found that 14% of agent session logs across sampled environments contained plaintext secrets that had been passed into a prompt, tool call, or intermediate file, at some point persisted outside the org's secrets manager. Most of these were rotated or short-lived tokens with limited blast radius, but roughly 1 in 8 were long-lived cloud credentials with production-adjacent scope. Autonomous agents don't intentionally exfiltrate secrets, but their workflows create far more transient copies of sensitive material — in logs, in scratch files, in context windows sent to third-party model providers — than a disciplined human developer typically would.

Auto-Merge Velocity Is Outpacing Review Capacity

Finally, the report looked at time-to-merge for agent-originated pull requests versus human-originated ones. Agent PRs in organizations with auto-merge or low-friction review policies merged in a median of 47 minutes, compared to 6.2 hours for human PRs in the same repos. Faster iteration is precisely why teams adopt these workflows — but 47 minutes is not enough time for most existing security review processes, including periodic SCA scans and manual dependency review, to complete before code reaches a shared branch or, in some organizations, production. The report characterizes this as a "review lag inversion": the velocity gains from agentic development are arriving faster than the security tooling built for a slower, human-paced review cadence can adapt.

What This Means for Security Teams

None of this is an argument against agentic development — the productivity case is real and the trend is not reversing. It is an argument for supply chain security controls that operate at the speed and granularity agents actually work at: continuous dependency and SBOM reconciliation rather than point-in-time scans, visibility into MCP servers and agent tool permissions as first-class inventory items, and prioritization logic that can tell a security team which of the thousands of new-but-unreviewed dependencies introduced this quarter are actually reachable from executable code paths — because most of them are not, and treating every alert as equally urgent is how review queues die.

How Safeguard Helps

Safeguard was built for exactly this shift. Our reachability analysis engine traces whether an agent-introduced dependency is actually invoked from code that executes in production, cutting through the noise of the thousands of new packages agentic workflows pull in and letting teams focus remediation on what's truly exploitable. Griffin AI, our detection and triage layer, continuously watches agent-driven commits, MCP server connections, and CI activity for the patterns this report highlights — unvetted new packages, anomalous permission requests, and secrets surfacing in build artifacts — and flags them before merge rather than after. Safeguard generates and continuously ingests SBOMs across every build, including ephemeral agent sandboxes, so the bill of materials reflects what actually shipped rather than what a manifest claimed weeks earlier. And where a real, reachable vulnerability is confirmed, Safeguard opens an auto-fix pull request with the patched dependency version already validated against the existing test suite, closing the loop at the same velocity the agent that introduced the risk was operating at. As agentic development accelerates, supply chain security has to move from periodic audits to continuous, context-aware defense — which is the architecture Safeguard was built around from day one.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.