Sonatype has introduced Sonatype Guide to stop AI coding tools from suggesting insecure or hallucinated open source packages, giving developers a safer and more reliable way to build with AI.
Sonatype Inc. has introduced Sonatype Guide, a security-first system designed to bring real-time open-source intelligence into AI-assisted software development. The tool acts as an intelligent backbone, steering AI coding assistants toward secure, high-quality open source components while autonomously maintaining dependencies.
The launch addresses a structural problem in AI coding workflows. Most AI models are trained on public data that may be months or years old, causing coding assistants to recommend vulnerable, low-quality or even hallucinated packages. A forthcoming Sonatype study shows that leading generative AI large language models hallucinate packages up to 27% of the time, creating unnecessary rework, slowing delivery, wasting LLM tokens and exposing teams to significant security risks, including malicious open-source components.
Enterprises testing Sonatype Guide reported more than 300% improvement in security outcomes, along with major reductions in remediation. Dependency-upgrade costs improved by over five times, measured in both developer hours and direct spend.
“Every organisation wants to harness the productivity of AI, but they can’t afford to compromise security or long-term maintainability,” said Bhagwat Swaroop, Chief Executive, Sonatype. “Guide brings discipline and intelligence to AI-assisted development. It empowers teams to move faster and safer by steering AI toward secure, reliable components and automating the tedious dependency work that slows teams down. This is a significant step forward for the industry and for our customers.”
Sonatype Guide integrates with tools such as GitHub Copilot, Google Antigravity, Claude Code, Windsurf, IntelliJ with Junie, Kiro from AWS and Cursor. Core features include a Model Context Protocol server for real-time package interception, enhanced open source software search and an enterprise-grade API.
Built on Sonatype Intelligence, the system identifies vulnerabilities, deprecations and malicious packages early, helping developers make safe and informed open-source decisions from the first line of code.
