Sonatype Guide is a real-time guardrail system that sits between AI coding tools and the open-source ecosystem, ensuring AI-generated code uses safe, valid, and maintainable dependencies.
Sonatype Guide includes a set of distinct tools, including an MCP server, an enhanced search experience, and access to the Nexus One Platform API.
By extending Sonatype’s trusted data into modern Model Context Protocol (MCP)–aware IDEs, Guide helps developers and AI tools select the best and safest open-source components while simplifying and optimizing dependency management.
Using the MCP server, Guide delivers security intelligence to AI coding tools like Copilot, Claude, Codex, and others. The MCP server provides package real-time package recommendations by filtering only secure, reliable versions and ensuring that unsafe code does not reach the repository.
The enhanced search informs developers about the lowest-effort, highest-impact fixes and upgrade choices, says Sonatype. The Nexus One Platform API is an enterprise-grade API that provides complete, unrestricted, and backward-compatible access to security information about components and repositories. Designed for Infrastructure-as-Code workflows, the Nexus One Platform API can integrate with CI/CD pipelines to automate component and vulnerability checks as part of the build process, and can also embed component and vulnerability lookups directly into developer tools such as chatbots and or issue trackers.
Sonatype CEO Bhagwat Swaroop explains that the main challenge in using LLMs for code generation is the rapid obsolescence of security data:
AI coding assistants are often trained on public data that can be months or years out of date. That means they can recommend vulnerable, low-quality, or even imaginary packages — creating rework, burning tokens, and introducing unnecessary risk.
In fact, Sonatype researchers found that LLMs can “hallucinate packages” up to 27% of the time, meaning they can suggest nonexistent, outdated, or malicious dependencies. This “creates rework for development teams, slows delivery, burns LLM tokens, and introduces unnecessary security risk”.
Sonatype claims that enterprises using Guide have tripled their effectiveness in generating secure code and reduced total security remediation and dependency-upgrade costs by more than fivefold.
Sonatype Guide is not the only AI-related tool designed to help secure development workflows and supply chains. Alternatives to Sonatype Guide for dependency and context security intelligence include Snyk, Mend, the open-source OWASP Dependency-Check, and many others. However, none of them seem to offer an MCP server ready to be integrated into AI-based workflows. That said, Snyk offers an experimental MCP server.
