Skip to main content
Redhat Developers  Logo
  • AI

    Get started with AI

    • Red Hat AI
      Accelerate the development and deployment of enterprise AI solutions.
    • AI learning hub
      Explore learning materials and tools, organized by task.
    • AI interactive demos
      Click through scenarios with Red Hat AI, including training LLMs and more.
    • AI/ML learning paths
      Expand your OpenShift AI knowledge using these learning resources.
    • AI quickstarts
      Focused AI use cases designed for fast deployment on Red Hat AI platforms.
    • No-cost AI training
      Foundational Red Hat AI training.

    Featured resources

    • OpenShift AI learning
    • Open source AI for developers
    • AI product application development
    • Open source-powered AI/ML for hybrid cloud
    • AI and Node.js cheat sheet

    Red Hat AI Factory with NVIDIA

    • Red Hat AI Factory with NVIDIA is a co-engineered, enterprise-grade AI solution for building, deploying, and managing AI at scale across hybrid cloud environments.
    • Explore the solution
  • Learn

    Self-guided

    • Documentation
      Find answers, get step-by-step guidance, and learn how to use Red Hat products.
    • Learning paths
      Explore curated walkthroughs for common development tasks.
    • Guided learning
      Receive custom learning paths powered by our AI assistant.
    • See all learning

    Hands-on

    • Developer Sandbox
      Spin up Red Hat's products and technologies without setup or configuration.
    • Interactive labs
      Learn by doing in these hands-on, browser-based experiences.
    • Interactive demos
      Click through product features in these guided tours.

    Browse by topic

    • AI/ML
    • Automation
    • Java
    • Kubernetes
    • Linux
    • See all topics

    Training & certifications

    • Courses and exams
    • Certifications
    • Skills assessments
    • Red Hat Academy
    • Learning subscription
    • Explore training
  • Build

    Get started

    • Red Hat build of Podman Desktop
      A downloadable, local development hub to experiment with our products and builds.
    • Developer Sandbox
      Spin up Red Hat's products and technologies without setup or configuration.

    Download products

    • Access product downloads to start building and testing right away.
    • Red Hat Enterprise Linux
    • Red Hat AI
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat Developer Toolset

    References

    • E-books
    • Documentation
    • Cheat sheets
    • Architecture center
  • Community

    Get involved

    • Events
    • Live AI events
    • Red Hat Summit
    • Red Hat Accelerators
    • Community discussions

    Follow along

    • Articles & blogs
    • Developer newsletter
    • Videos
    • Github

    Get help

    • Customer service
    • Customer support
    • Regional contacts
    • Find a partner

    Join the Red Hat Developer program

    • Download Red Hat products and project builds, access support documentation, learning content, and more.
    • Explore the benefits

Dependency analytics 1.0: AI coding with supply chain security

The code writes itself. The vulnerabilities do, too.

July 7, 2026
Petr Toman
Related topics:
Artificial intelligenceDeveloper toolsSecure coding
Related products:
Red Hat Advanced Developer Suite

    We're living in the golden age of vibe coding. Developers describe what they want in plain English, and AI agents—Claude Code, GitHub Copilot, Cursor—generate entire features in seconds. Productivity has never been higher. Developers using AI assistants produce commits at three to four times the rate of their peers.

    But there's a catch nobody talks about at the standup. Those same AI-assisted developers introduce security findings at 10 times the rate. 45% of AI-generated code contains security flaws. 62% contain design flaws or vulnerabilities. And the problem isn't just the code itself—it's the dependencies the AI pulls in without a second thought.

    When you ask an AI to "add JWT authentication to this Express app," it doesn't just write code. It picks packages. It chooses versions. And 58% of developers trust those outputs without testing.

    That's where dependency analytics comes in.

    What is the dependency analytics tool?

    Dependency analytics is a free, open source extension for editors like VS Code, Cursor, and Windsurf extension. Now at its 1.0 release, it scans your project's dependencies for known security vulnerabilities in real time as you write code. No context switching. No separate security tool to remember to run. It just shows up, right in your editor, the moment you open a manifest file.

    It supports the ecosystems developers actually use:

    • JavaScript/TypeScript: package.json (npm, pnpm, Yarn)
    • Python: requirements.txt, pyproject.toml (pip, Poetry, UV)
    • Java: pom.xml, build.gradle (Maven, Gradle)
    • Go: go.mod
    • Rust: Cargo.toml
    • Docker: Dockerfile image scanning

    With more than three million installs, it's already one of the most widely adopted supply chain security tools in the VS Code ecosystem.

    The problem: AI agents don't think about supply chain security

    AI models learn from code that was written months or years ago. When they pick a dependency, they choose the version they saw most often during training—not the most current or most secure one. They're trained on patterns, not common vulnerabilities and exposures (CVE) databases.

    Let's walk through three scenarios.

    Scenario 1: The stale version from training data

    You're building a Python microservice. You tell your AI coding agent:

    Add a function that parses uploaded CSV files and validates email addresses in the second column.

    The agent generates clean, working code. It adds pandas==1.3.0 and email-validator==1.1.1 to your requirements.txt. Tests pass. The pull request (PR) looks good.

    But pandas 1.3.0 has CVE-2023-39500, a path traversal vulnerability. And email-validator 1.1.1 has a known ReDoS vulnerability that can be exploited with a crafted email string—exactly the kind of input your function accepts.

    With dependency analytics installed, the moment you open requirements.txt, both dependencies are underlined in red. Hover over pandas==1.3.0 and you see:

    Known security vulnerabilities: 3 | Highest severity: HIGH

    Right-click, select Quick Fix, and the extension offers a recommended version that resolves the vulnerability. One click. Fixed before your code ever leaves your machine.

    The same applies across ecosystems. Ask an AI to add JWT auth to a Node.js application and it might pick jsonwebtoken@8.5.1—a version with CVE-2022-23529, a critical flaw that lets attackers forge tokens. Dependency analytics catches it the moment it lands in your package.json.

    Scenario 2: The transitive vulnerability

    You add express@4.17.1 to your Node.js project. Express itself looks fine. But it pulls in qs@6.5.2, which has a prototype pollution vulnerability (CVE-2022-24999). You'd never see this by reading your own code.

    Dependency analytics generates a full vulnerability report—including transitive dependencies—accessible from the pie-chart icon in your editor. One click shows you the complete dependency tree and every known CVE hiding in it.

    Scenario 3: The license landmine

    Your AI agent adds a GPL-3.0 licensed package to your Apache-2.0 project. Legally, that's a problem. Dependency analytics' license compatibility checking detects mismatches between your project's license and your dependencies' licenses, flagging restrictive licenses before they become a legal headache.

    How it fits into vibe coding and agentic workflows

    The beauty of the dependency analytics tool is that it works at the same speed as AI-generated code. There's no separate step. No "remember to run the security scan." The extension operates as a passive guardrail—always on, always scanning.

    Here's what the workflow looks like in practice:

    1. Your AI agent generates code and modifies package.json, requirements.txt, or pom.xml.
    2. You open the manifest file (or it's already open)—the scan triggers automatically.
    3. Vulnerable dependencies light up red with inline diagnostics.
    4. You hover to see the vulnerability count and severity.
    5. You select Quick Fix to jump to a safe, Red Hat-recommended version.
    6. You generate a software bill of materials (SBOM) with the RHDA: Generate SBOM command for your compliance pipeline.

    This takes seconds. It happens before git add. Before the PR. Before the code review. Before production.

    For teams using monorepos, the batch workspace analysis feature scans every package in your JavaScript/TypeScript monorepo or Cargo workspace in parallel—so even large codebases get coverage without manual effort.

    Beyond scanning: SBOM generation and Docker security

    Dependency analytics 1.0 operates as a supply chain security toolkit rather than a simple scanner. The tool features CycloneDX SBOM generation to produce a standards-compliant software bill of materials from any supported manifest, preparing your project for compliance audits and regulatory requirements. It also includes Dockerfile scanning to analyze container base images for known vulnerabilities, providing direct links to Red Hat's Ecosystem Catalog for hardened alternatives. Additinoally, you can use selective exclusion to mark specific dependencies to skip with exhortignore comments, while development or test dependencies are automatically excluded from analysis.

    Getting started in 60 seconds

    1. Open VS Code.
    2. Search for "Red Hat Dependency Analytics" in the Extensions Marketplace.
    3. Select Install.
    4. Open any supported manifest file in your project.

    That's it. No configuration required. No accounts to create. No tokens to manage.

    For advanced setups (including custom backend URLs, proxy configuration, Python virtual environments, Maven/Gradle wrapper preferences), check the extension documentation.

    The bottom line

    AI coding tools are here to stay. 42% of all code is now AI-generated or AI-assisted, and that number is only going up. The productivity gains are real. But so are the risks.

    The answer isn't to stop using AI. It's to add guardrails that work at AI speed.

    Dependency analytics 1.0 is that guardrail. It sits in the one place every developer already looks—the editor—and helps catch the vulnerabilities that AI tools introduce before they ever reach production.

    Install it now and let your AI agent vibe. Safely.

    Dependency analytics is open source under the Apache 2.0 license. Report issues or contribute at github.com/fabric8-analytics/fabric8-analytics-vscode-extension.

    Related Posts

    • Automate dependency analytics with GitHub Actions

    • Vulnerability analysis for Golang applications with Red Hat CodeReady Dependency Analytics

    • Connect EvalHub to protected production model servers

    • Configure input guardrails for an OpenShift AI voice agent

    • Every layer counts: Defense in depth for AI agents with Red Hat AI

    • Deploy secure agentic AI: Protocols and performance tuning

    Recent Posts

    • Visualize your cluster: Manage observability with Red Hat build of Perses

    • Why your RBAC linter misses privilege escalation chains (and how to fix it)

    • Dependency analytics 1.0: AI coding with supply chain security

    • Understanding Argo CD ApplicationSets - Parameters (Part 1)

    • Smarter data generation for faster Speculator training

    What’s up next?

    Learning Path Red Hat AI

    How to run AI models in cloud development environments

    This learning path explores running AI models, specifically large language...
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer tools
    • Interactive tutorials
    • API catalog

    Quicklinks

    • Learning resources
    • E-books
    • Cheat sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site status dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2026 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Chat Support

    Please log in with your Red Hat account to access chat support.