In the past 12 months, enterprise software development has changed faster than at any other point in our lifetime.
Developers are writing more code, faster, with the help of generative AI and automation. Tasks that once took days now take minutes. Dependency decisions that were once reviewed manually are now made continuously by pipelines, tools, and AI agents and coding assistants.
Attackers have access to the same superpowers.
Malicious packages can be created, published, and propagated at machine speed. Vulnerabilities can be found and exploited faster and easier with every new iteration of models and assistants. Security teams are struggling to keep pace — not because they lack skill, but because the scale and velocity of change have fundamentally shifted. At the same time, developers remain accountable for what ships to production, even as more decisions are delegated to automated systems acting on their behalf.
This combination — AI-accelerated development, AI-enabled attackers, and human accountability — has fundamentally changed the problem we're trying to solve.
Why Foundational Data Alone Is No Longer Sufficient
For years, OSS Index has provided free, high-quality open source vulnerability intelligence and become a trusted foundation for developers and tools across the ecosystem. That foundation still matters.
But the challenges of modern software development have outgrown what even the best component and vulnerability data alone can solve.
Compounding this challenge, the industry's primary public vulnerability source has been under sustained strain, with delays and gaps that make it unreliable as an input for automation. At modern scale, organizations need curated, continuously vetted third-party intelligence to provide the accuracy, completeness, and timeliness that AI-driven workflows require.
When Sonatype first acquired OSSI, it did so in order to expand its open source governance offerings by integrating a free, publicly accessible vulnerability index (OSS Index) and enhance the availability of open source vulnerability data to developers. OSS Index was never designed to power an AI-driven, fully automated software supply chain at global scale. It was built for an era where humans reviewed decisions and automation played a supporting role.
Modern AI-powered SDLCs require intelligence that is real-time, precise, intent-aware, and designed to work safely with both developers and the agents operating on their behalf — especially in an attack landscape that now includes deliberately malicious open source software, not just accidental vulnerabilities.
Software Development in 2026 and Beyond
Development is becoming faster, more automated, and increasingly AI-assisted.
Developers are producing more code than ever — often with the help of generative AI — while still being fully accountable for what ships to production. Code reviews, dependency decisions, and security outcomes remain the developer's responsibility, even as the volume and velocity of change continue to increase.
We've described this tension before as the Developer's Hippocratic Oath in the age of AI: the expectation to "do no harm" while operating in systems that now move faster than any individual can reasonably review.
At the same time, generative AI models struggle with dependency recommendations without grounding. In our analysis of more than 36,000 real-world dependency upgrade recommendations across Maven, npm, and PyPI ecosystems, state-of-the-art models hallucinated non-existent versions over 27% of the time. This isn't surprising — these models are trained on historical public data that is often more than a year old, while package ecosystems change continuously. New versions ship hourly. Vulnerabilities emerge overnight. Malicious packages appear after model training cutoffs.
Developers are expected to move faster—and still catch failures—even as more decisions are made by automated systems acting on their behalf. AI doesn't remove the developer's Hippocratic Oath; it makes honoring it harder. As software creation accelerates, developers are asked to ship at unprecedented speed while losing direct visibility into the provenance, security, and fitness of the code and dependencies entering production.
Sonatype Guide: The Evolution of Open Source Security for the AI Age
We created Sonatype Guide because the problems have changed.
Guide is not a new version of OSS Index. It is an entirely new, developer-first solution built for the age of AI — designed to support automated, AI-assisted, and large-scale software development from the ground up.
Guide combines real-time open source intelligence, automation-ready tooling like APIs and MCP, and enterprise-grade support to help developers and security teams keep pace — without slowing innovation or sacrificing safety.
Guide can be used as a standalone solution or as part of the broader Sonatype platform. Teams can adopt Guide on its own to support AI-powered workflows, or integrate it alongside existing Sonatype solutions to extend current investments — without requiring a platform-wide rollout.
OSS Index and Guide: Clarity and Continuity
We understand that millions of developers and enterprises rely on OSS Index as critical infrastructure.
If you simply want to continue using the OSS Index API, no problem — we've got you covered. OSS Index will continue to be available with free and paid packages that scale based on usage and consumption needs, supporting everything from individual developers to large, automated environments.
As needs grow, Guide provides a complete, developer-first solution for fully automating open source security in the AI-powered SDLC.
What Happens Next
We're entering a new phase of unprecedented developer productivity and security built on open source.
Our goal is to make this transition straightforward and predictable for developers and the teams that support them.
Try Guide today. Guide is available now and free to get started. It's ready to support modern, AI-assisted workflows — whether decisions are made by developers, automation, or agents acting on their behalf. Guide works on its own or alongside existing Sonatype solutions, without disrupting current workflows.
Clear options for OSS Index users. If you're using OSS Index today, you can continue to do so via the compatibility API in Sonatype Guide. We'll be publishing updated OSS Index packages — including free and paid options — that scale with usage and provide predictable paths forward.
Upcoming details and timing. We'll share full details on usage limits, packages, and timelines soon, with clear guidance and advance notice so teams have time to plan.
As far as a timeline, OSSI users should expect more information on the details of the migration by March 31 in support of a full migration on April 28.
Written by Mitchell Johnson
Mitchell has more than 25 years of experience as a developer, architect, team-builder and leader across a variety of high-growth roles in technology, data, product, and mergers and acquisitions, including stints at eVestment a Nasdaq Company, Equifax, Grant Thornton and Delta Air Lines. Mitchell ...
Tags
Build Smarter with AI and ML.
Take control of your AI/ML usage with visibility, policy enforcement, and regulatory compliance.