Snyk launches Evo ADS to secure AI coding agents with real-time governance

AI coding agents are no longer novelties—they now generate and ship production code, unsupervised, in enterprise environments. Security has not kept pace. Yesterday’s scanners watch code after it lands. AI agents, though, can call arbitrary tools, invoke “skills” from uncertain sources, and walk through internal APIs—all with no human watching. That’s the new perimeter—and Snyk Evo Agentic Development Security (Evo ADS) is the first tool designed to control it inside the agent’s workflow, live, before code or damage lands.

The headline: Evo ADS governs, not just after the fact, but as the agent runs. For the developer or security lead watching agents run inside the firewall, this is overdue and impressive.

What is Snyk Evo Agentic Development Security?

Evo ADS is a security governance layer for autonomous AI coding agents. Instead of passively scanning output, Evo ADS actively enforces rules around the tools, connections, and code actions that agents attempt during workflow execution. The focus isn’t just the code, but the entire perimeter: which MCP servers agents touch, the skills they install, and what outbound connections they make.

What sets Evo ADS apart from legacy security tools: placement in the loop. It integrates directly with the agent runtime. Before an agent can invoke an external tool or connect to an MCP server, Evo ADS intercepts and applies policy, preventing execution if a check fails. For AI coding workflows that use plugins, integrations, or operate via Model Context Protocol (MCP) servers, Evo ADS is the bouncer at the door, not the janitor after the party.

No code scanning product before Evo ADS has governed agent-initiated external actions and dynamic toolchains—legacy tools wait until after the code is written, missing the real risk surface. Evo ADS secures the actual, running behavior.

Why are autonomous AI coding agents a security challenge?

Autonomous agents don’t just write code. They operate—acting as developers or ops, calling shell tools, installing packages, and connecting via MCP servers to a web of skills and third-party APIs. A single agent may reach dozens of MCP-integrated tools in a shift. Security moves from static code analysis to active workflow governance.

Snyk’s telemetry makes clear the scale and risk:

In a sample of 9,700 developer environments, 43% ran two or more AI coding platforms simultaneously.
More than half had at least one MCP server active; the most heavily instrumented cases ran over 80.
One in 12 environments with MCP saw high or critical security findings.

This isn’t a subtle finding. It’s structural. Legacy scanners have zero view into which tools the agent is connecting to, who supplied a given “skill,” or how data flows across MCP boundaries. Attackers have noticed.

MCP servers, by design, turn code completion tools into fully programmable orchestration agents. But without governance, they are a shadow supply chain. Skills can reference arbitrary dependencies or fetch code from external instructions, often invisible to the primary dev team. Snyk’s enterprise design partner review surfaced an average of 18 agent skills per developer, with 1/10th referencing outside dependencies. For security, the attack surface is sprawling and dynamic.

Same component. Web and mobile. One codebase.

The free, open-source SDK gives you components that work the same on web and mobile — one codebase. github.com/otf-kit/sdk

Get the free SDK

How does Evo ADS protect AI coding workflows?

Evo ADS operates at three pivotal layers, each mapped tightly to AI agent pain points. This is not post-hoc scanning. Enforcement happens in the workflow.

Stage 1: Pre-execution vetting Before an agent uses anything—MCP server, plugin, tool, or skill—Evo ADS demands an inventory and applies trust policies:

# Register allowed MCP servers and skills
snyk agent-inventory add --mcp myserver.local --skill fetch-customer-data
# Validate external dependency provenance before allowing install
snyk skill-audit check fetch-customer-data

Attempts to use unvetted components are blocked. You do not need to wait for the exploit to learn about it.

Stage 2: Real-time policy enforcement on agent actions As the agent runs, Evo ADS injects runtime policy hooks. If an agent attempts to call an unapproved endpoint, install a package from an untrusted registry, or access external resources, Evo ADS enforces controls immediately:

# Example: runtime policy configuration
policies:
  - action: block
    when:
      - from: ai_agent
        tries: mcp_connect
        to: unapproved_server
      - from: ai_agent
        tries: skill_install
        package_source: unverified_registry

This is not best-effort auditing—it is hard-stop enforcement. Developers and operators get alerts in real time, not hours later.

Stage 3: Real-time scan and fix of AI-generated code Finally, as the agent emits new code, Evo ADS triggers live vulnerability scanning and can auto-apply select patches:

# Scan new files as generated (live in agent workflow)
snyk code-scan --watch path/to/generated/
# Optional: enable fix mode for auto-remediation
snyk code-fix --apply

The engine catches CVEs, risky patterns, and known vulnerable code before it ships. Not “after the merge”—literally as the code lands in the folder.

Key advantage: putting controls in the loop, not after. Attack surface never widens past the agent boundary. Compliance, incident response, and real-time rollback become tractable.

agent workflow with Evo ADS at entry (tool/skill vetting), runtime (action enforcement), a

How can developers use Snyk Evo ADS today?

Getting Evo ADS into your workflow is procedural and can be staged.

1. Setup and integration You need access to your AI coding agent platform (Open Interpreter, custom agent, etc.), MCP server endpoints, and developer environment inventory. Evo ADS multiplatform installers or Docker images are geared for both local and CI/CD integration:

# Install Evo ADS for agent governance
npm install -g snyk-evo-agent
# Or as a CI/CD pipeline step
docker pull snyk/evo-agent:latest

For cloud agent platforms:

# Example pipeline step in GitHub Actions
- name: Evo ADS Preflight
  run: snyk agent-inventory sync --output-report

2. Registering and managing agent assets Agents, MCP servers, and skills inventories live in Evo ADS’s policy engine. Continuous inventory means every running agent, plugin, and third-party “skill” is accounted for:

# Inventory collection and review
snyk agent-inventory list
# Bulk import from fleet
snyk agent-inventory import path/to/agent-configs/

Security teams can finally answer, “What’s running?” for the first time.

3. Monitoring and incident response Evo ADS streams findings and policy events to your SIEM or Snyk console:

# Export telemetry to SIEM for detection/alerting
snyk agent-telemetry export --to splunk

If a policy violation or vulnerable code emission occurs, Evo ADS can trigger automated incident workflows—block, alert, roll back. Teams gain real-time visibility and fine-grained control.

With this model, adoption is not “rip and replace.” Evo ADS can wrap existing agent deployments or sit alongside legacy scanning, providing real-time coverage for areas older tools ignore.

What impact does Evo ADS have on enterprise software security?

Evo ADS closes a foundational gap: live, inside-the-tailpipe enforcement for AI agent workflows. Enterprise numbers make the case:

In Snyk’s telemetry, one in 12 MCP environments had high or critical security findings. Those can now be blocked before code or data is ever touched.
Skill sprawl: Organizations average 18 installed agent skills per developer. Evo ADS turns that inventory into a governable perimeter—third-party and shadow skills are no longer invisible risks.
Unauthorized actions—calling outbound APIs, installing unauthorized tools, fetching external code—are now blockable in the loop, rather than detected hours or days later.

Early adopters and enterprise design partners now see agent, MCP, and skill inventories for the first time—an end to the shadow infra. Security teams gain a direct way to manage, sanction, or restrict AI agent behaviors with one policy engine. The result: measurable drops in agent-originated vulnerability surface, faster containment, and a meaningful shift from forensics to prevention.

What this gets us

If you deploy AI coding agents or run MCP servers, Evo ADS gives you a perimeter that moves with the agent—not waiting for a post-mortem, but blocking malicious calls at the edge of action. You inventory your agents, govern the skills and servers they touch, and catch vulnerabilities—before they trigger harm. Teams already running multiple AI systems simultaneously now have the real-time enforcement they need to stop incidents early instead of cleaning up after the fact.

OTF’s layer makes policy and configuration portable as tools and AI agents churn; the security boundary holds, even as underlying models and agent platforms change.

Evo Agentic Development Security isn’t just a new scanner. It’s the real-time firewall for AI-powered code. That’s overdue—and now possible.

OTF SDK + Kits

Buy once, own the code. Ship with the agent you already use.

Free, open-source SDK — same component, web and mobile
Paid kits include AI configs + 40+ tested prompts — your agent reads the whole project
$99/kit or $149 for everything. No subscription, no sandbox limit.

Get the free SDK View kits