Black Duck has introduced AI-driven capabilities to Coverity, its static application security testing tool, marking the first time artificial intelligence features have been integrated into the two-decade-old product. The update addresses persistent challenges in application security testing, particularly the high rate of false positives that plague C and C++ code analysis, while adding compliance features tied to upcoming European Union regulatory requirements.
The centerpiece of the release is an AI-assisted issue triage system designed to reduce false positives in C and C++ findings while improving triage accuracy across Coverity's full range of supported languages. Black Duck emphasized that customers can run these AI features against their own choice of large language model rather than relying on vendor-hosted services, giving organizations control over where code and scan data are processed. This approach targets regulated industries and organizations with strict data governance requirements that prohibit sending sensitive code to external services.
The update includes a Model Context Protocol server that allows AI coding agents to trigger local Coverity scans and retrieve security and quality findings directly within their workflow. This integration enables agentic tools to act on deterministic, reproducible scan output rather than depending solely on probabilistic model judgments about code safety. Additionally, a new checker adds AI-powered detection of Insecure Direct Object Reference vulnerabilities in JavaScript and TypeScript codebases, addressing a class of flaw that frequently appears in API-related security breaches when applications expose internal identifiers without proper authorization checks.
With reporting deadlines under the EU Cyber Resilience Act approaching, Black Duck introduced two compliance-focused features. A Security Impact Lens allows users to sort and filter findings by security priority, applying to security triage the same prioritization approach Coverity has historically used for code quality issues. A CRA-aligned checker option maps scan results directly to the vulnerability management and cybersecurity obligations outlined in the regulation. The update also extends language support to Rust 1.92 and introduces a redesigned user interface with improved navigation and issue filtering.
All new capabilities are now generally available to existing Coverity customers without changes to the deterministic, auditable scanning foundation the product is built on. Organizations can access the AI-powered features immediately, with detailed implementation guidance available through the Coverity Documentation Portal. Security and development teams should evaluate how the AI triage capabilities might reduce manual review workloads while assessing whether the CRA-aligned features address their specific regulatory compliance requirements.
Source: https://www.itsecurityguru.org/2026/07/14/black-duck-adds-ai-powered-triage-and-cra-ready-checks-to-coverity-static-analysis


