Black Duck has rolled out a set of AI-driven and compliance-focused updates to Coverity, its static application security testing (SAST) tool, as the application security vendor looks to align the two-decade-old product with both the rise of AI-assisted coding and tightening European regulation.
The release marks the first time AI-powered features have shipped in Coverity, and Black Duck was keen to stress that the new capabilities can be run against a customer’s own choice of large language model, rather than a vendor-hosted service. The company said this was designed to give security and development teams control over where code and scan data are processed, a point it framed as particularly relevant for regulated industries and organisations with strict data governance requirements.
AI features aimed at cutting false positives
Chief among the additions is an AI-assisted issue triage capability, which Black Duck says is tuned to reduce false positives in C and C++ findings, a long-standing pain point for teams working in those languages, while also improving triage accuracy across the rest of Coverity’s supported languages.
Coverity has also gained a Model Context Protocol (MCP) server, allowing AI coding agents to trigger local Coverity scans and pull security and quality findings directly into their workflow. Black Duck’s pitch is that this lets agentic tools act on deterministic, reproducible scan output rather than relying purely on a model’s own probabilistic judgement of whether code is safe.
A new checker adds AI-powered detection of Insecure Direct Object Reference (IDOR) flaws in JavaScript and TypeScript codebases. IDOR vulnerabilities occur when an application exposes internal identifiers, such as user IDs, database keys or filenames, without properly checking that the requester is authorised to access them, a class of bug that has featured heavily in API-related breach disclosures.
Positioning for the Cyber Resilience Act
With reporting deadlines under the EU Cyber Resilience Act approaching, Black Duck used the update to introduce two compliance-oriented features. A new Security Impact Lens lets users sort and filter findings by security priority, bringing to security triage the kind of prioritisation Coverity has historically applied to code quality issues. Alongside it, a CRA-aligned checker option is intended to map scan results more directly to the vulnerability management and cybersecurity obligations set out in the regulation.
The update also extends language coverage to Rust 1.92, and introduces a refreshed user interface with reworked navigation and issue filtering, which Black Duck says is intended to speed up triage for teams working through large volumes of findings.
“Coverity has set the gold standard for static analysis for more than two decades, and we’re raising the bar by pairing its deterministic precision with the speed of AI, meeting customers where modern software development is heading,” said Dipto Chakravarty, Chief Product & Technology Officer at Black Duck.
“Code today is written, reviewed, and shipped by agents, and businesses have to move at machine speed to stay ahead,” Chakravarty added, arguing the update delivers AI-driven triage without sacrificing auditability, agentic workflow integration via the MCP server, and tooling that makes CRA readiness “operational, not aspirational.”
Black Duck said all of the new capabilities are now generally available to existing Coverity customers, who gain access to the AI-powered features without changes to the deterministic, auditable scanning the product is built around. Further detail is available via the Coverity Documentation Portal.




