New Open Source Project from Kubernetes and Sigstore Creators Prevents Secrets Leakage and Protects Code from Risky Dependencies
Introducing CodeGate: A Lightweight Container for AI Coding Assistants
More than 90% of developers now use AI coding assistants, with the primary motivator being the potential to produce more code and ship faster. However, AI coding assistants like GitHub Copilot and Cursor have under-recognized shortcomings.
The Risks of AI Coding Assistants
AI coding assistants are chatty. I have seen many instances where they grab data, passwords, and other secrets and pass them on to large language models,” said Luke Hinds, cofounder and CTO at Stacklok. “The risk of course is that your secrets are now part of the training dataset for public models. We built CodeGate to prevent any accidental exposure of secrets, recognizing this was an important starting point in creating value for developers.”
CodeGate: A Solution to the Problem
CodeGate is a new open source project from the team at Stacklok. CodeGate offers software developers that use AI coding assistants their own local privacy controls. Specifically, CodeGate is a single, lightweight container that sits between the AI coding assistant and the large language model; it identifies and encrypts any secrets before they reach the model, and it decrypts those secrets upon return.
Additional Features of CodeGate
Developers that use AI coding assistants face another critical issue,” warned Hinds. “Large language models have training cutoff dates that are typically 12 or more months in the past. That means they lack up-to-date knowledge of dependencies that have become deprecated or dangerous; they can recommend or even merge these high-risk dependencies into code.”
CodeGate maintains a constantly updated database of known malicious packages and deprecated dependencies; it augments prompts with up-to-date security information using RAG (research augmented generation) and blocks any recommendations that dangerous packages be used. CodeGate also provides developers with proven, safe alternatives.
The Importance of Open Source
Hinds and Stacklok co-founder Craig McLuckie both have long histories with open source software. Hinds founded the Sigstore project, which was later joined by Google and others, and McLuckie was a co-founder of Kubernetes and the CNCF (Cloud Native Computing Foundation).
“It was important to us that CodeGate be open source. Of course, our company’s DNA is open source, but in particular our belief is that when you’re addressing privacy and security, a solution must be open,” noted Hinds. “Open source software is freely available to inspect and modify, and ultimately, this allows us to advance the solution—and developer interests—with the community.”
Conclusion
CodeGate is a groundbreaking new open source project that addresses the critical issues of secrets leakage and risky dependencies in AI coding assistants. By providing developers with a lightweight container that identifies and encrypts secrets, CodeGate ensures that developers can use AI coding assistants without compromising their privacy and security. With its constantly updated database of known malicious packages and deprecated dependencies, CodeGate provides developers with the tools they need to write safer, more secure code.
FAQs
Q: What is CodeGate?
A: CodeGate is a new open source project from the team at Stacklok that provides software developers with a lightweight container for AI coding assistants.
Q: What are the risks of AI coding assistants?
A: AI coding assistants can grab data, passwords, and other secrets and pass them on to large language models, potentially exposing them to the training dataset for public models.
Q: How does CodeGate address these risks?
A: CodeGate identifies and encrypts any secrets before they reach the model, and it decrypts those secrets upon return, ensuring that developers can use AI coding assistants without compromising their privacy and security.
Q: What are the additional features of CodeGate?
A: CodeGate maintains a constantly updated database of known malicious packages and deprecated dependencies, and it augments prompts with up-to-date security information using RAG (research augmented generation) and blocks any recommendations that dangerous packages be used.
Q: Why is CodeGate open source?
A: CodeGate is open source because it allows developers to inspect and modify the solution, advancing the solution—and developer interests—with the community.