Black Duck today added a tool for analyzing and remediating code that is directly integrated into artificial intelligence (AI) coding tools.
Company CEO Jason Schmitt said Black Duck Signal makes it possible to discover issues as application developers increasingly rely on AI coding tools to generate more code faster, which paradoxically also typically contains more vulnerabilities than code created solely by humans.
Black Duck Signal makes use of multiple large language models (LLMs), model context protocol (MCP) servers and AI agents to autonomously detect and remediate vulnerabilities in real time, both as applications are being developed and after they have been deployed, noted Schmitt.
Enabled by the Black Duck KnowledgeBase, those capabilities make it possible to automatically find, prioritize, and fix vulnerabilities across source code, binaries, supply chain components, and running applications regardless of what programming language was used, with a high degree of accuracy, he added.
Black Duck has petabytes of data on examples of known good code that it is exposing to AI agents using different LLMs depending on the use case and the type of programming language used, noted Schmitt.
In fact, Black Duck Signal substantially reduces the number of false-positives generated by existing static analysis testing tools, he added.
Once discovered, it then becomes possible to invoke an AI agent to automate remediation across the software development lifecycle (SDLC) using verified code fixes found in a Black Duck library. That capability is critical because it also helps ensure that the code generated by one LLM is verified using a different LLM to eliminate bias, noted Schmitt.
Additionally, Black Duck Signal will surface open source and third-party risk issues stemming from, for example, licensing agreements and policies.
Currently being made available to existing Black Duck customers and design partners, the company plans to make Black Duck Signal more broadly available in early 2026.
While AI coding tools have been widely adopted to improve productivity of application developers, it’s not clear to what degree organizations trust the code that is being generated. Most of these tools have been trained using examples of code gleaned from across the Web that is often flawed. AI tools based on LLMs rarely generate code the same way so each time they are invoked it creates another possible instance where a vulnerability might be inadvertently injected into the code generated.
As more code is generated using these AI tools, more organizations are becoming aware of a growing acute need to automate best DevSecOps processes to keep pace. Otherwise, the volume of code that might later need to be scanned for vulnerabilities will simply overwhelm application security teams.
It’s not clear to what degree organizations are revisiting DevSecOps workflows in the age of AI, but it’s now more a question of when and to what degree, rather than if. Organizations are not likely to abandon AI coding tools because of security concerns but they will inevitably put more guardrails in place as appreciation for the downside of relying on AI tools to generate code becomes more apparent.
In the meantime, however, the pressure on already undermanned DevSecOps teams in the short term at least is only going to continue to increase.
