Salt Security has introduced Salt Code, a new component of its agentic security platform designed to address a growing concern among many organizations: the rapid growth of AI-generated code outpaces security teams’ ability to review it. The company presents it as a solution to enforce security policies directly within tools like Claude Code, Cursor, GitHub Copilot, Windsurf, Kiro, Codex, Gemini CLI, or Antigravity, from the initial prompt all the way to deployment.
This announcement reflects a significant shift in software development. AI is no longer just used to complete isolated lines or speed up repetitive tasks. Many organizations are now leveraging AI to write entire components, generate APIs, modify configurations, propose integrations, and participate in increasingly autonomous workflows. The problem is that these assistants don’t inherently understand a company’s internal policies, regulatory requirements, architectural standards, or security decisions.
The New Risk of AI-Generated Code
Salt Security starts from an uncomfortable premise: traditional security tools are too late. SAST, DAST, code reviews, and controls within CI/CD remain necessary but typically detect issues after the code has been written. Correcting these issues at that point involves rewriting, opening tickets, delaying deployments, and negotiating priorities between development and security teams.
With Salt Code, the goal is to shift validation to the moment of creation. The idea is for the programming assistant to generate code that aligns with organizational policies by default—eliminating the need for developers to remember to include security instructions in prompts or to consult internal guidelines stored in a wiki.
The context explains why this approach is becoming increasingly relevant. Salt cites market data showing that GitHub Copilot is deployed in 90% of Fortune 100 companies and reached 4.7 million paid subscribers in January 2026. It also notes that programming assistants already generate 46% of code written on GitHub, while a 2026 Sonar survey estimates that 42% of enterprise code is generated or assisted by AI, with projections exceeding 50% in 2027.
The most concerning figure pertains to security. According to Veracode tests cited by Salt, 45% of samples of code generated by language models in sensitive tasks contained OWASP Top 10 vulnerabilities. The company also mentions an analysis by CodeRabbit that attributes 2.74 times more vulnerabilities to AI-generated pull requests compared to those written by humans. As with all such data, it’s important to consider the context, but the overarching message is clear: as AI writes a growing share of software, it can also amplify insecure patterns at scale.
| Area | What Salt Code Proposes | Why it Matters |
|---|---|---|
| Code Generation | Applies policies during the assistant’s writing process | Prevents certain errors from entering the code from the start |
| Unified Governance | Defines standards once and enforces them across multiple environments | Reduces discrepancies between teams, assistants, and repositories |
| MCP | Uses servers compatible with the Model Context Protocol | Enables integration with modern assistants and agentic workflows |
| CI/CD | Validates policies within the pipeline | Blocks violations before deployment |
| Runtime | Monitors APIs, MCP, and agents in operation | Verifies real-world behavior, not just design |
| Remediation | Feeds findings back into the developer workflow | Facilitates actionable fixes and continuous improvement |
| Integrations | GitHub, GitLab, Bitbucket, VS Code, Jira, ServiceNow, and CI/CD | Fits into existing development and security tools |
Security Policies Embedded in Code
The core of Salt Code is Salt’s Posture Governance Engine, a policy layer that defines security and compliance standards and applies them throughout the lifecycle. This new solution extends that model into three critical layers for agentic systems: code, control plane configurations, and runtime behavior.
The company offers a library of preconfigured policies covering OWASP API Top 10, MCP Security Top 10, LLM Security Top 10, OpenAPI/Swagger compliance, and common regulatory frameworks. It also allows organizations to add their own policies—essential for companies with internal rules regarding authentication, authorization, secret management, API exposure, sensitive data handling, or architectural patterns.
A key technical enabler is MCP, the Model Context Protocol, originally developed by Anthropic and adopted by OpenAI, Google, and Microsoft. MCP enables AI assistants to connect to external context and tools. Salt Code uses this approach to integrate with compatible assistants and workflows, allowing security policies to influence the generation and review process.
The promise is ambitious: a single standard applied to all developers, from senior teams to less technical roles engaged in “vibe coding” or rapid prototyping. Salt claims this prevents each assistant, repository, or team from operating under different rules.
From Shift Left to Runtime Control
Salt Code is not limited to pre-deployment review. It encompasses five phases: discovery, application during generation, governance within the pipeline, validation at runtime, and remediation. This comprehensive approach is crucial because many security issues aren’t fully understood until an API, MCP integration, or agent begins executing in real-world conditions.
During discovery, Salt Code identifies APIs, MCP servers, and agent integrations in repositories and cloud environments. While generating code, it enforces policies in real time within the assistant. In CI/CD, it validates these policies and blocks violations before deployment. After deployment, it monitors behavior in APIs, integrations, and agents to detect deviations, posture gaps, or anomalies.
This approach aims for continuity uncommon in many security solutions. Typically, one tool reviews code, another scans dependencies, a third protects APIs, and yet another monitors production. Salt seeks to unify these layers under a consistent policy framework. If successful, security requirements won’t have to be manually translated across documents, pipelines, and runtime alerts.
The announcement also addresses the growing governance challenges in enterprise AI. Organizations rapidly adopt code assistants but often lack visibility into what tools their developers use, what extensions they install, which repositories they touch, what code they generate, or which insecure patterns recur. Salt Code aims to provide a common overlay over this diversity.
For security teams, this can reduce noise by blocking certain errors from reaching the pipeline. For developers, success depends on avoiding opaque blocking mechanisms. Integrated security within assistants must offer understandable corrections, low friction, and responses aligned with the project’s context to be accepted.
Salt Security states that Salt Code has been available since June 1, 2026. Current clients receive it at no additional cost within their existing license. Non-customers can request limited free access through an Early Access program for the first 100 companies. This includes four prebuilt policy packages: OWASP API Top 10, MCP Security Top 10, LLM Security Top 10, and OpenAPI/Swagger compliance.
The launch of Salt Code indicates where the market is heading. As AI becomes more involved in writing code, security can no longer rely solely on post-hoc review. It will need to be integrated into prompts, assistants, repositories, pipelines, and live environments. The key question for organizations is no longer whether their developers use AI to program, but whether that AI generates code within their organization’s defensible boundaries.
FAQs
What is Salt Code?
Salt Code is a Salt Security solution that enforces security and compliance policies within AI programming assistants, development pipelines, and production environments.
Which AI assistants does it support?
Salt Security supports Claude Code, Cursor, GitHub Copilot, Windsurf, Kiro, Codex, Gemini CLI, and Antigravity, along with workflows compatible with MCP and tools like GitHub, GitLab, Bitbucket, and VS Code.
What problem does Salt Code aim to solve?
It seeks to prevent AI-generated code from introducing vulnerabilities or violating internal policies by applying controls from the moment code is created, rather than only at the end of the pipeline.
What standards does Salt Code include?
Salt Code incorporates policy packages for OWASP API Top 10, MCP Security Top 10, LLM Security Top 10, and OpenAPI/Swagger compliance, with support for custom organizational policies.
via: salt.security