What happened
Announced June 23, 2026 (GA June 29): Snyk Evo ADS adds a three-layer enforcement plane — (1) agent supply chain security scanning MCP servers and skills for known vulnerabilities and prompt injection in tool descriptions; (2) real-time agent behaviour governance enforcing policies before actions execute; (3) trusted code generation assessment ensuring AI-generated code is scanned at inception before commit. Based on Snyk telemetry from ~10,000 developer environments: 50.8% already have live MCP connections, 1-in-12 has a HIGH/CRITICAL finding today, and 4,524 unique MCP server configs were detected.
Why it matters
Snyk is the dominant developer-security platform (millions of devs); embedding agentic security inside the developer workflow — not as a separate product — is the highest-leverage distribution model in this market. The supply-chain scanning for MCP servers fills a gap no other vendor has at this scale.
Applicability
DevSecOps and AppSec teams using Snyk should activate Evo ADS immediately; especially critical for orgs where developers use AI coding assistants with MCP integrations.