Skip to main content
← Back to blog
guides

DevSecOps Checklist for AI Supply Chains 2026

This 2026 DevSecOps checklist adds critical pre-execution controls for AI projects, focusing on repository quarantine, behavior-based scanning of dependencies and MCP servers, and CI/CD integration to stop supply chain threats before code runs.

Reece Frazier
·February 27, 2026
Share

A modern DevSecOps checklist for AI projects in 2026 must extend beyond CVE scanning to include mandatory pre-execution controls. This framework requires quarantining repositories before they run, using behavior-based CLIs like Sigil alongside traditional SAST/SCA tools, sandboxing untrusted code, scanning MCP servers and plugins, and enforcing these checks in CI/CD pipelines to ensure no AI agent code executes unscreened.

Why AI and Agent-Heavy Projects Need a Different DevSecOps Checklist

Traditional application security focuses on known vulnerabilities (CVEs) in your own code and direct dependencies. AI agent projects introduce a fundamentally different risk profile that demands a revised checklist.

First, the attack surface expands dramatically. AI agents and their tooling pull in a vast, dynamic graph of dependencies-npm packages, PyPI libraries, GitHub repos, and now Model Context Protocol (MCP) servers-often without human review. According to recent software supply chain reports, AI-heavy projects pull far more unvetted dependencies than traditional apps.

Second, the threat model shifts. Malicious actors are increasingly exploiting the execution phase of dependencies, not just their static code. Threats like invisible postinstall hooks, obfuscated eval() statements, and outbound data exfiltration payloads are behavior-based. Data indicates that behavior-only threats often bypass CVE-focused SCA tools, leaving AI agents particularly exposed.

Finally, the development velocity is higher. AI tooling encourages rapid experimentation. If security checks are slow or break the flow, developers will bypass them. Your checklist needs tools that are fast, local, and integrate seamlessly into existing git clone and npm install workflows to be adopted.

DevSecOps Checklist for AI Supply Chain Security

Follow this step-by-step checklist to implement a robust security posture for your AI agent repositories, dependencies, and MCP tooling. 2026 studies reveal that teams with formal DevSecOps checklists detect supply chain issues significantly earlier in the lifecycle.

  1. Quarantine Repositories Before Execution. Intercept git clone, pip install, or npm install commands with a security wrapper that analyzes the code before it runs any install scripts or hooks on your machine.

  2. Scan Dependencies with Behavior-Based Analysis. Use a CLI tool that performs parallel analysis for installation hooks, suspicious code patterns, network call attempts, credential access, obfuscation, and provenance-returning a risk verdict in seconds.

  3. Sandbox or Firewall Untrusted Code. For code that must run but is deemed risky, execute it in an isolated container or virtual environment with strict network egress controls to prevent data exfiltration.

  4. Scan MCP Servers and Plugins Before Use. Apply the same quarantine and scanning principle to MCP servers. Validate their configuration and intended behavior before allowing an AI agent to connect and execute their capabilities.

  5. Enforce Gates in CI/CD Pipelines. Automate the quarantine and scanning steps in your GitHub Actions, GitLab CI, or Jenkins pipelines. Fail the build if a high-risk dependency is introduced.

  6. Monitor and Audit All Scans. Maintain a searchable log of all scans, verdicts, and overrides. This is crucial for forensic analysis and demonstrating compliance.

  7. Educate and Empower Your Team. Provide easy aliases and IDE integrations (VS Code, JetBrains) so using the security tool is the default, frictionless path for every developer.

Pre-Execution vs Runtime Security Tools Comparison

Pre-Install Quarantine vs Runtime Sandboxing: When to Use Each

Security Layer Primary Goal Example Tools Best For
Pre-Execution Quarantine (Sigil) Prevent malicious code from EVER executing on dev machines or in CI. Sigil CLI Stopping install hook malware, obfuscated payloads, pre-review execution.
Software Composition Analysis (SCA) Identify known vulnerabilities (CVEs) in open-source dependencies. Snyk, Dependabot, Trivy Managing patch urgency for publicly disclosed vulnerabilities.
Runtime Application Security (RASP) Detect and block attacks while the application is running. Various commercial RASP solutions Protecting production workloads from active exploitation.
Sandboxing / Containerization Limit the blast radius of code that must execute. Docker, gVisor, Firecracker Testing untrusted code or isolating risky workloads.

This is a critical architectural decision in your AI supply chain security strategy. Understanding the tradeoffs ensures you apply the right control at the right time.

Pre-Install Quarantine (Proactive Blocking)

  • What it is: Intercepting and analyzing code before it executes any instructions on your system.

  • Core Advantage: Prevention. It stops the attack before it starts. Research shows that pre-execution scanning would have blocked many recent supply chain incidents involving malicious packages.

  • Use Case: This is your first and primary defense for any third-party code being pulled into your environment-npm packages, PyPI libs, git repos, and MCP servers. It's non-negotiable for developer laptops and CI/CD pipelines.

  • Tool Example: Sigil replaces git clone with sigil clone, analyzing the repository in parallel and giving a clear allow/block verdict before the code touches your filesystem.

Runtime Sandboxing (Containment)

  • What it is: Allowing code to execute, but within a highly restricted environment (e.g., container, VM) that limits its access to the network, filesystem, and host.

  • Core Advantage: Containment. It allows you to run potentially risky code for analysis or testing without endangering your core systems.

  • Use Case: Secondary, controlled environments. Use sandboxing for dynamic analysis of suspicious packages, testing unreviewed code in CI, or as a safety net for workloads that have passed quarantine but still carry residual risk.

The Verdict: Implement pre-install quarantine as your universal gatekeeper. Use runtime sandboxing for specific, high-risk scenarios where execution is necessary. Quarantine prevents the incident; sandboxing contains the fallout.

Build your toolchain around fast, developer-centric CLIs that can be scripted and integrated into automation. Here are the key categories and leading options.

1. Pre-Execution Quarantine & Behavior Analysis

  • Sigil (Open Source / Pro): The specialist for this task. Its six-phase parallel analysis (hooks, patterns, network, creds, obfuscation, provenance) is purpose-built to catch behavior-based threats in AI tooling. The free CLI is fully offline and fast (<3 sec), making it ideal for developer workflows and CI. Pro adds cloud intelligence and team features.

  • Alternatives: While some SAST tools can be run pre-commit, they are not optimized for the speed and specific threat model (install hooks, exfil) of dependency quarantine.

2. Software Composition Analysis (SCA) for CVEs

  • Snyk, Dependabot, Trivy: These are essential complements to Sigil. They excel at finding known vulnerabilities in your dependency tree and advising on upgrades. Use them after Sigil's quarantine check to cover the full spectrum of static and behavioral risks.

3. Infrastructure as Code (IaC) & Container Scanning

  • Checkov, Terrascan, Trivy (again): Secure the deployment environment for your AI agents. Scan Dockerfiles, Kubernetes manifests, and Terraform code for misconfigurations in your CI pipeline.

4. Secret Detection

  • Gitleaks, TruffleHog: Scan your code repositories for accidentally committed API keys, passwords, and tokens. Integrate these as pre-commit hooks and in CI.

Integrating these tools creates a defense-in-depth strategy: Sigil blocks the novel, behavioral threats at the door; SCA manages known vulnerability patching; IaC scanning secures the runtime platform.

How to Choose the Right CLI Tool for Your Team

When evaluating security CLIs, especially for pre-execution scanning, prioritize these criteria:

  • Speed: It must be faster than the native command it replaces (git clone, npm install). Sub-5-second verdicts are ideal.

  • Accuracy & Focus: Low false-positive rate for the threats you care about (malicious install hooks, obfuscation).

  • Developer Experience: Zero configuration, easy shell aliases (alias clone='sigil clone'), and clear output.

  • Integration: Native support for your CI/CD system (GitHub Actions, GitLab CI) and package ecosystems (npm, PyPI, MCP).

  • Deployment Model: Can it run fully offline/air-gapped for sensitive environments?

  • Licensing & Cost: Open source core for transparency and community trust, with clear commercial terms for advanced features.

How to Integrate Quarantine and Scanning into CI/CD and Workflows

Automation is what turns a checklist into an enforced standard. According to the DevSecOps Fundamentals Guidebook, integration into existing toolchains is a critical success factor.

For Individual Developers:

  • Add aliases to your shell profile: alias git='sigil git' or alias clone='sigil clone'.

  • Install the Sigil VS Code or JetBrains extension to get risk warnings directly in your editor when adding dependencies.

  • Use a pre-commit hook to scan any newly added git submodules or vendored code.

For CI/CD Pipelines (GitHub Actions Example):

```yaml name: Security Scan on: [push, pull_request]

jobs: quarantine-scan: runs-on: ubuntu-latest steps:

  • name: Checkout code

uses: actions/checkout@v4

  • name: Scan dependencies with Sigil (Pre-Execution)

uses: sigil-security/sigil-action@v1 with: path: '.' # Scans the repo fail-on-risk: high # Fails the build on high-risk findings

sca-scan: runs-on: ubuntu-latest steps:

  • name: Run Snyk for CVE scanning

uses: snyk/actions/node@master env: SNYKTOKEN: ${{ secrets.SNYKTOKEN }} ```

For MCP Server Security:

  • Before adding a new MCP server to your mcpserverconfig.json, download its source or bundle and run it through Sigil: sigil clone.

  • Create a CI job that periodically re-scans the configured MCP servers for updates.

DevSecOps Checklist Template You Can Adopt Today

Copy this template into your team's security documentation and start implementing each item.

AI Supply Chain Security Checklist (2026)

Phase 1: Pre-Execution (Mandatory)

  • [ ] Quarantine All Third-Party Code: Replace git clone, npm install, pip install with a security-wrapped command (e.g., sigil clone) for all developers.

  • [ ] Scan MCP Servers: Apply the same quarantine process to any MCP server before adding it to an agent's configuration.

  • [ ] Enforce in CI: Add a pre-execution scan step to all CI/CD pipelines that fails the build on high-risk verdicts.

Phase 2: Static Analysis & Hygiene

  • [ ] SCA for CVEs: Run a software composition analysis tool (Snyk, Dependabot) in CI to flag known vulnerabilities.

  • [ ] Secret Detection: Use gitleaks or similar in pre-commit and CI to block commits containing secrets.

  • [ ] SAST: Run static application security testing on your own agent code.

Phase 3: Runtime & Monitoring

  • [ ] Sandbox Risky Execution: Define a process for running code that requires execution but is untrusted (e.g., in a disposable container).

  • [ ] Audit Logging: Ensure all scan results-passes, failures, and overrides-are logged to a centralized, searchable system.

  • [ ] Regular Review: Schedule quarterly reviews of this checklist, scan logs, and tooling effectiveness.

Adopting this template creates a clear, actionable roadmap. Start with Phase 1 to establish the critical preventive barrier, then build out the other phases for comprehensive coverage.

What should a DevSecOps checklist include for AI agent projects?

A DevSecOps checklist for AI agent projects must include mandatory pre-execution quarantine of all third-party code (repos, npm/PyPI packages, MCP servers) using behavior-based scanning tools. It should also integrate traditional CVE scanning (SCA), secret detection, and CI/CD enforcement gates. Crucially, it needs specific steps for sandboxing untrusted code and auditing all scan activity, tailored to the rapid, dependency-heavy nature of AI development.

How do I safely quarantine and scan code repositories before running them?

Use a dedicated security CLI tool designed for pre-execution analysis. Replace your standard commands with wrapped versions; for example, use sigil clone instead of git clone. This tool should intercept the download, analyze the code for malicious behaviors like hidden install hooks or obfuscated payloads in parallel, and provide a clear allow/block verdict-all before any code from the repository executes on your machine or in your CI environment.

Which DevSecOps CLI tools are best for securing npm and PyPI dependencies?

For pre-execution behavioral security, Sigil is a top choice as it directly intercepts npm install and pip install commands. For comprehensive CVE coverage, use Snyk or Dependabot in tandem. For secret scanning, integrate Gitleaks. The best stack uses Sigil to block novel, behavioral threats first, then SCA tools to manage known vulnerability patching as a complementary layer.

How can I scan MCP servers and plugins before they execute on my machine?

Treat MCP servers like any other third-party code dependency. Before configuring an agent to use a new MCP server, download its source code or bundle and run it through your pre-execution quarantine scanner (e.g., sigil clone). This analyzes the server's code for risky behaviors, ensuring it is safe before your AI agent connects to it and begins executing its capabilities locally.

When should I use pre-install quarantine versus runtime sandboxing in DevSecOps?

Use pre-install quarantine as your primary, universal gatekeeper for all incoming third-party code. Its goal is prevention-stopping malicious code from ever executing. Use runtime sandboxing as a secondary containment measure for specific scenarios where you must execute code that is still considered risky (e.g., for dynamic analysis, testing, or evaluating unreviewed contributions). Quarantine should be the default; sandboxing is for exceptions.

Key Takeaways

  • Research shows that pre-execution scanning would have blocked many recent software supply chain incidents involving malicious packages.

  • According to 2026 studies, teams with formal DevSecOps checklists detect supply chain issues significantly earlier in the lifecycle.

  • AI-heavy projects pull in a far greater volume of unvetted dependencies than traditional applications, expanding the attack surface.

  • Behavior-based threats like hidden install hooks often bypass traditional CVE-focused security tools, requiring specialized pre-execution analysis.

Protect your AI agent code

Scan every repo, package, and MCP server before it runs.

Eight-phase analysis in under 3 seconds. Free and open source.

Get StartedRead the Docs

Subscribe to Sigil threat research

New threat analysis, detection signatures, and security research delivered to your inbox.