Safeguard
AI Security

Securing AI coding assistants (Claude Code, Copilot, etc.)

AI coding assistants like Claude Code and Copilot introduce new supply chain risks. Here's what's actually going wrong and how to secure your pipeline.

Aman Khan
AppSec Engineer
7 min read

In April 2024, researchers disclosed that GitHub Copilot and Amazon Q could be coaxed into suggesting code with hardcoded credentials and insecure defaults simply because that pattern was common in their training data. A year later, over 90% of enterprise developers report using an AI coding assistant weekly, and Claude Code, Copilot, Cursor, and Windsurf now sit directly in the commit path for a majority of production repositories. That path is also an attack surface: assistants read untrusted files, call tools, execute shell commands, and pull from remote MCP servers — often with the same privileges as the developer running them. Checkmarx and other legacy AST vendors have started bolting AI-scanning features onto SAST scanners built for a pre-agent world. This post breaks down where the real risk sits, with concrete examples, and what a supply-chain-native approach to securing AI coding assistants actually looks like.

Are AI coding assistants actually introducing more vulnerabilities?

Yes — multiple independent studies in 2024-2025 put the rate of insecure code suggestions from LLM-based assistants between 30% and 48% depending on language and task. Stanford's 2023 study (still the most-cited baseline) found developers using AI assistants were more likely to introduce security bugs while being more confident their code was secure — a dangerous combination. A 2025 Snyk survey of over 700 developers found 56% had shipped AI-suggested code they later identified as vulnerable, most commonly SQL injection, missing input validation, and hardcoded secrets. The failure mode isn't exotic: it's the assistant pattern-matching on the median GitHub repo, which is not a secure repo. Checkmarx's approach — running its existing SAST engine against AI-generated diffs — catches some of this, but it's scanning output after the fact rather than addressing how the code got there or what else the assistant touched.

Can Claude Code and Copilot leak secrets or proprietary code?

Yes, in two directions: assistants can expose secrets already in your codebase, and they can transmit code context to third-party inference endpoints you don't control. In 2023, Samsung engineers pasted proprietary source code into ChatGPT three separate times, prompting a company-wide ban — the same exposure pattern applies to any assistant with broad file-read access and a cloud backend. Agentic tools like Claude Code go further: they can read .env files, SSH keys, and cloud credentials sitting in a repo and include them in tool calls or generated commit messages if not explicitly scoped away. GitLab's 2024 research on Copilot chat found prompt injection payloads hidden in a repository's README could exfiltrate private code from other files in the same session. Scanning the final pull request doesn't catch this — the leak happens in the assistant's working context, upstream of any diff.

What is prompt injection and why does it matter for coding agents?

Prompt injection is when untrusted content — a file, an issue comment, an MCP tool response — contains instructions that hijack an AI agent's behavior, and it matters because coding agents execute real commands. Embedded Insurance and independent researchers demonstrated in 2024 that a malicious comment in a GitHub issue could instruct a connected Copilot Workspace or agent to modify CI configuration or add a backdoor dependency when the agent later processed that issue. Because agentic assistants like Claude Code chain tool calls (read file → run tests → git commit → open PR), a single injected instruction partway through that chain can silently redirect the entire sequence — installing a package from a typosquatted registry name, disabling a lint rule, or exfiltrating environment variables via a crafted curl. Traditional SAST has no visibility into this: it inspects the resulting code, not the sequence of tool calls and untrusted inputs that produced it.

Are AI-suggested dependencies a new malware vector?

Yes — researchers coined the term "slopsquatting" in 2024 for a documented pattern where LLMs hallucinate plausible-but-nonexistent package names, and attackers register those exact names on npm and PyPI to catch the next developer who blindly installs what the assistant suggested. A March 2024 academic study analyzing 576,000 code samples from 16 LLMs found an average hallucination rate of 5.2% for commercial models and 21.7% for open-source models — meaning roughly 1 in 20 to 1 in 5 suggested package names could point to squatted malware. Because Claude Code, Copilot, and Cursor can all run npm install or pip install autonomously as part of an agentic workflow, a hallucinated package name isn't just a suggestion a human reviews — it can become an installed dependency before anyone looks at a diff. Checkmarx's SCA module scans dependency manifests once they exist; it doesn't intervene at the moment an agent is about to add one.

Do compliance frameworks now require controls for AI-assisted development?

Increasingly, yes. NIST's AI Risk Management Framework (published January 2023, with a generative AI profile added in July 2024) explicitly calls out provenance tracking and human oversight for AI-generated artifacts, and SOC 2 auditors are starting to ask engineering teams how AI coding tool usage is governed and logged as part of Trust Services Criteria reviews. The OWASP Top 10 for LLM Applications (2025 update) added supply chain risks tied to model and plugin provenance as a named category (LLM03/LLM05 depending on version), directly applicable to MCP servers and coding-agent plugins. Auditors reviewing a SOC 2 Type II report in 2026 are asking pointed questions: which AI tools have repo write access, is there an audit trail of AI-authored commits, and are AI-suggested dependencies subject to the same SCA gate as human-authored ones. Teams that can't answer those questions in specifics are increasingly flagged in findings, not just noted as a gap.

How Safeguard Helps

Safeguard was built for the agentic era of software delivery, not retrofitted onto a decade-old SAST engine. For securing AI coding assistants specifically, that means three things Checkmarx's bolt-on approach doesn't do natively:

  • Provenance at the commit, not the scan. Safeguard tags every commit and dependency change with its origin — human-authored, Claude Code-assisted, Copilot-assisted — so you have an audit trail before your SOC 2 auditor asks for one, not a reconstruction after the fact.
  • Real-time dependency gating. Because slopsquatting attacks rely on an assistant's suggestion reaching npm install before a human looks at it, Safeguard checks new package names against registry age, maintainer reputation, and known-typosquat patterns at the moment of introduction — before a hallucinated package becomes a lockfile entry.
  • MCP and tool-call visibility. Safeguard monitors the tool calls and file access patterns of connected AI agents, not just their final diffs, so a prompt-injection-driven attempt to read .env files or rewrite CI config is flagged as an anomalous action, independent of whether the resulting code looks syntactically clean.
  • Secrets and context scoping. Safeguard integrates with your repo to identify and mask credentials, keys, and proprietary code segments from assistant context windows, reducing the blast radius of both accidental leakage and injection-driven exfiltration.

Checkmarx's model — scan the code an AI assistant produced — is necessary but no longer sufficient once assistants are running commands, installing packages, and reading files on their own initiative. Securing AI coding assistants means securing the whole agentic loop: what they read, what they call, what they install, and what they commit. That's the layer Safeguard is built to cover.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.