Salt Code enforces security policies in AI coding tools

Salt Security has launched Salt Code, a tool designed to enforce security policies inside AI coding assistants. The product extends the company's Agentic Security Platform into software development workflows.

Salt Code applies internal security and compliance rules at the point where developers generate code with assistants such as Claude Code, Cursor, GitHub Copilot, Windsurf, Codex and Gemini CLI. It is designed to give security teams a single policy layer across code creation, pipeline checks and runtime monitoring.

The launch comes as AI coding assistants account for a growing share of software development in large companies. Salt cited figures showing GitHub Copilot is deployed at 90% of Fortune 100 companies, while GitHub has said AI assistants now generate 46% of code written by developers on its platform.

That growth has heightened concerns about software flaws introduced by machine-generated code. Salt pointed to Veracode research that found 45% of AI-generated code samples for security-sensitive tasks introduced vulnerabilities from the OWASP Top 10, and to analysis from CodeRabbit that found AI pull requests contained 2.74 times more vulnerabilities than human-written ones.

Policy layer

At the centre of the new product is Salt's Posture Governance Engine, which serves as a common set of policies across different stages of development and deployment. The same policy model can be applied to generated code, control plane settings and runtime behaviour, according to the company.

The tool connects to coding assistants through the Model Context Protocol, an open standard first developed by Anthropic and adopted by several major AI providers. Salt said this approach is intended to let the product work across MCP-compatible assistants and code review workflows rather than tie customers to a single vendor.

Salt Code also includes pre-built policies covering the OWASP API Top 10, MCP Security Top 10, LLM Security Top 10 and OpenAPI or Swagger compliance, alongside support for company-specific rules. In practice, this means security teams can define standards in one place and apply them to developers using different AI tools.

Lifecycle coverage

Salt described the product as spanning five stages of the development lifecycle. It begins with discovery of APIs, MCP servers and AI agent integrations across repositories and cloud environments, then applies policy checks during code generation.

Those checks extend into CI/CD pipelines, where policy violations can be blocked before software reaches production. The final stages cover monitoring in live environments and feeding findings back into development workflows.

The runtime element draws on Salt's existing monitoring engine to track APIs, agents and MCP integrations once systems are deployed. The company added that remediation features are designed to turn runtime findings into fixes for developers and AI assistants, although some automation functions are due later this year.

Salt said the product is generally available for a broad range of AI coding assistants, including Claude Code, Cursor, GitHub Copilot, Windsurf, Kiro, Codex, Gemini CLI and Antigravity. It also integrates with source control, development and pipeline tools including GitHub, GitLab, Bitbucket, VS Code and other IDEs that support MCP server configuration, as well as major CI/CD platforms.

Workflow integrations with Jira and ServiceNow are also included, allowing findings to be routed into existing ticketing systems used by security and operations teams. Current customers will receive Salt Code as part of their existing licence, according to the company.

Market pressure

Security vendors have been moving to address the risks linked to AI-assisted software development as adoption rises across large organisations. Traditional static and dynamic testing tools usually analyse code after it has been written, which can make problems more costly to fix if flawed patterns have spread through a project.

Salt is positioning the new product around earlier intervention, arguing that policy enforcement should happen when code is created rather than after it enters testing and deployment. The argument reflects a broader industry push to move security checks closer to developers and their day-to-day tools.

Roey Eliyahu, Chief Executive Officer and Co-founder of Salt Security, said the product is intended to close the gap between rapid AI-driven development and corporate security controls. "AI is writing code faster than organizations can govern it, whether that AI is Claude, Gemini, Copilot, or the next tool a developer downloads tomorrow. Salt Code changes the equation. For the first time, security policy travels with the code itself, from the first prompt through every stage of the pipeline and into runtime. Organisations no longer have to choose between the speed AI enables and the security their business requires," Eliyahu said.

Christopher M. Steffen, Vice President of Research, Information Security, Risk and Compliance Management at Enterprise Management Associates, said the product adds a code-focused layer to the company's wider security model. "I regularly point organizations toward Salt because the full Agentic Security Graph is genuinely differentiating. Salt Code is the piece that ties it together. With code-level context layered onto runtime behavior, Salt is building a multi-dimensional defense for agentic systems rather than another single-point tool. That is the direction this market needs to move," Steffen said.