According to Black Duck, supply chain governance must be modernised as rapid development from AI coding tools outpaces current approaches.
The integration of assistants like GitHub Copilot, Cursor, and Windsurf into daily engineering workflows accelerates feature delivery while simultaneously increasing compliance and vulnerability exposure.
According to the 2026 Open Source Security and Risk Analysis (OSSRA) report from Black Duck – which analysed 947 codebases across 17 industries – open-source components are now effectively universal, appearing in 98 percent of commercial codebases.
This ubiquitous usage means almost every application automatically inherits third-party risk. Codebase complexity is escalating at an unprecedented rate, with the number of files per project growing 74 percent year-over-year and average open source component counts increasing by 30 percent.
Jason Schmitt, CEO at Black Duck, said: “AI has fundamentally changed the economics of software development—and with it, the economics of software risk. This year’s OSSRA findings underscore a truth the industry can no longer ignore: the pace at which software is created now exceeds the pace at which most organisations can secure it.”
AI coding becomes a supply chain threat multiplier
For platform engineering leads optimising the developer experience, this exponential expansion introduces acute governance challenges. Security tools designed for human-speed programming struggle to process the volume of dependencies generated by automated workflow assistants.
Consequently, the mean number of open-source vulnerabilities per codebase jumped by 107 percent in a single year, reaching an average of 581. Much of this threat landscape is highly active, with 65 percent of surveyed organisations experiencing a software supply chain attack in the past year.
Malicious actors frequently exploit the trust models of central registries. Recent coordinated campaigns, such as PhantomRaven, bypassed static analysis by injecting payloads directly during the installation process. The Shai-Hulud worm automated its spread by harvesting developer credentials to push compromised updates across multiple packages.
Furthermore, legacy components remain a persistent threat; eight of the top ten high-risk vulnerabilities identified in 2025 stemmed from outdated jQuery versions. The top vulnerability affecting jQuery, CVE-2020-11023, is actively exploited and listed in the Known Exploited Vulnerabilities Catalog managed by CISA.
The invisible licensing gap
Licence compliance presents another area of escalating operational risk. Two-thirds of audited commercial codebases currently harbour licence conflicts, representing the highest rate recorded in the history of the OSSRA report. The 12 percent year-over-year increase (rising from 56% to 68%) marks the largest single-year jump the study has recorded.
The combinatorial complexity of modern cloud-native applications drives this trend, with the average 2026 project containing 1,180 components. Since 64 percent of open source components operate as transitive dependencies, developers routinely inherit legal terms they never explicitly reviewed.
Generative code models complicate this legal framework further. Assistants trained on vast public repositories can reproduce code snippets subject to restrictive copyleft terms, such as the GPL or AGPL, increasing legal and licensing exposure. Nothing within the generated output indicates its origin, creating an invisible compliance gap.
At present, 76 percent of surveyed organisations check AI-generated code in their supply chain for security risks, but only 54 percent evaluate it for intellectual property and licence exposure, and just 56 percent assess quality issues. Altogether, only 24 percent perform comprehensive IP, licence, security, and quality evaluations for AI-generated code.
Additionally, the integration of machine learning models directly into production environments creates an entirely new and unregulated attack surface.
Navigating maintenance debt
Behind these immediate security and legal concerns lies the compounding issue of maintenance debt.
Software obsolescence is pervasive, with 93 percent of 2026 codebases containing components that have seen no development activity in over two years. These abandoned projects leave engineering teams vulnerable when new exploits surface, as there is no active maintainer to issue a patch.
The friction of updating dependencies, which often requires extensive refactoring and regression testing, causes teams to delay maintenance in favour of feature delivery.
This accumulation of technical debt directly threatens compliance with upcoming international regulations. The European Union Cyber Resilience Act, for example, will mandate comprehensive vulnerability handling for all software products sold within its market.
The 2026 OSSRA report warns that organisations cannot comply with these incoming regulations unless they track AI models with the same rigour as open-source components, improve Software Bill of Materials (SBOM) accuracy, and develop transparent AI usage policies.
To navigate this environment, technical leaders must establish strict governance around third-party and AI-generated code in their supply chain, seamlessly integrating software composition analysis platforms directly into the CI/CD pipeline.
Engineering teams must evaluate the long-term maintenance trajectory of any open-source library before adding it to a project. Visibility has become the new currency of trust; organisations must know exactly what resides in their software before customers and regulators demand answers.
Maintaining continuous visibility into dependency health and automating vulnerability response processes will be essential for protecting enterprise ROI and satisfying imminent regulatory mandates.
“Companies that fail to modernise their supply chain governance risk are falling behind not only technologically, but competitively,” Schmitt concludes.
See also: Perforce Software: How AI is amplifying DevOps
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
