What is Sonatype Guide?

Sonatype Guide is the AI-first developer tool that operates as a Model Context Protocol (MCP) server. Guide intercepts AI code-assistant package recommendations in real time and steers Copilot, Claude Code, Cursor, Gemini Code Assistant, Windsurf, IntelliJ Junie, Kiro, Codex, and other MCP-aware tools toward secure and reliable component versions before code is committed. Sonatype publishes 300%+ improvement in security outcomes and 5x reduction in remediation costs. Merito sells the license and operates the MCP integration, AI code-assistant rollout, and developer workflow integration.

What is Model Context Protocol (MCP)?

Model Context Protocol is an open standard for delivering context to AI tools. Guide operates as an MCP server that AI code assistants connect to for retrieving Sonatype component intelligence at the moment they generate package recommendations. The architecture means Guide gives a single integration point that all MCP-aware AI tools can consume rather than requiring per-tool custom integration.

How does Guide differ from Sonatype Lifecycle?

Lifecycle is the SCA platform that scans dependencies at PR-time and build-gate (and at IDE, repository firewall, runtime). Guide intercepts AI code-assistant package recommendations at AI suggestion time, which is earlier in the developer workflow than Lifecycle covers. The two products layer. Guide steers AI suggestions. Lifecycle scans the resulting code. Programs running both products get pre-commit guidance plus PR-time and build-gate enforcement.

Does Guide work without other Sonatype products?

Guide can run standalone, but pairs naturally with Sonatype Lifecycle for shared policy plane. Programs adopting Guide alongside Lifecycle get AI suggestions that align with the customer's authored Lifecycle policy. Programs running only Guide miss the policy-alignment benefit. The AI suggestions ground in Sonatype's component intelligence but not in customer-specific risk and license tolerance.

What outcomes does Sonatype publish for Guide?

Sonatype publishes that enterprises using Guide have achieved more than a 300% improvement in security outcomes while reducing total security remediation and dependency-upgrade costs by over 5x compared to the leading competitive strategy. The improvements are measured in both direct spend and developer hours. The architecture pays back when AI code-assistant adoption is significant. Programs without meaningful AI tool adoption get less value.

How is Guide licensed?

Sonatype Guide is licensed alongside other Sonatype products. Available bundled under Sonatype Nexus One Platform with Repository Pro, Lifecycle, and SBOM Manager. Pricing not publicly disclosed. Sold through Merito or direct. Merito sells the license and scopes MCP integration, AI code-assistant rollout, and Lifecycle policy alignment as separately priced services.

What services does Merito provide for Guide?

Merito delivers Guide MCP integration with the customer's AI code assistants, Lifecycle policy alignment for shared policy plane, developer rollout planning across teams, AI code-assistant compliance reporting, MAPS Assessment for AI code-assistant program scoping, Premium Support, Managed Services for ongoing run, training for engineering and AppSec teams, and staff augmentation for long-running programs.

Sonatype • Application security

Sonatype Guide

Sonatype Guide is the AI-first developer tool that operates as a Model Context Protocol (MCP) server. Guide intercepts AI code-assistant package recommendations in real time and steers Copilot, Claude Code, Cursor, Gemini Code Assistant, Windsurf, IntelliJ Junie, Kiro, Codex, and other tools toward secure component versions before code is committed.

Merito sells Sonatype Guide and operates the MCP integration, AI code-assistant rollout, and developer-workflow integration that turn Guide into a working pre-commit dependency-governance layer for AI-augmented development.

Get Guide pricing Talk to a Merito Sonatype specialist

Best for: Engineering organizations adopting AI code assistants at scale, Programs needing AI governance for dependency selection, Security teams concerned about AI-suggested package recommendations
Hosting: SaaS
Time to value: First AI code-assistant integration in one to two weeks. Full MCP rollout across major developer tools in three to six weeks. Enterprise rollout including custom policy alignment in two to three months.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-27

What it is

Sonatype Guide in the enterprise stack

Sonatype Guide launched on December 9, 2025 as the AI-first developer tool that addresses dependency safety inside AI code-assistant workflows. The architecture is a Model Context Protocol (MCP) server that intercepts package recommendations from AI coding tools in real time and delivers Sonatype's component intelligence as context. Rather than requiring developers to manually verify every suggestion, Guide steers AI tools toward secure and reliable component versions before code is committed.

MCP integration covers the major AI code assistants developers actually use. Compatible tools include GitHub Copilot, Claude Code, Cursor, Gemini Code Assistant, Windsurf, IntelliJ with Junie, Kiro, and Codex (IDE Plugin and CLI). The architecture moves dependency safety further left than scanner-based detection can. AI tools generate suggestions. Guide validates package recommendations against Sonatype's intelligence dataset and the customer's policy before the developer commits.

Sonatype publishes that enterprises using Guide have achieved more than a 300% improvement in security outcomes while reducing total security remediation and dependency-upgrade costs by over 5x compared to the leading competitive strategy. The architecture pays back when AI code-assistant adoption is significant and the customer wants pre-commit dependency safety rather than post-commit scanning. Programs without significant AI code-assistant adoption get less value from Guide than the marketing implies.

Ideal use cases

AI code-assistant package-recommendation governance through MCP
Pre-commit dependency safety inside Copilot, Cursor, Claude Code, Gemini, Windsurf, Junie, Kiro, Codex
Sonatype component intelligence delivered as context to AI tools
Engineering organizations standardizing on AI code-assistant adoption
Programs reducing post-commit dependency remediation by shifting left

What it is best at

Where Sonatype Guide earns its seat

MCP server architecture

Model Context Protocol is the right shape for AI code-assistant integration. Guide operates as middleware delivering Sonatype intelligence to AI tools without requiring per-tool custom integration.

Pre-commit dependency safety

Steers AI tools toward secure component versions before code is committed. Dependency safety moves further left than scanner-based detection at PR-time or build-gate.

Major AI code-assistant compatibility

Compatible with Copilot, Claude Code, Cursor, Gemini Code Assistant, Windsurf, IntelliJ Junie, Kiro, and Codex. Programs do not need to standardize on a single AI tool to adopt Guide.

Component intelligence delivered as context

Sonatype's 140M+ component database delivered to AI tools through the MCP context layer. AI suggestions ground in vulnerability and license data rather than training-time knowledge.

Core capabilities

Sonatype Guide capabilities, grouped by outcome

MCP server architecture

How Guide actually integrates with AI code assistants.

Model Context Protocol middleware
Guide operates as an MCP server that AI tools connect to for context retrieval.
Real-time package interception
Package recommendations from AI tools get intercepted in real time before reaching the developer's commit.
Component intelligence delivery
Sonatype's 140M+ component database delivered as MCP context for AI suggestions.

AI code-assistant compatibility

Which AI tools Guide integrates with.

GitHub Copilot
Pre-commit dependency safety inside Copilot suggestions.
Claude Code
MCP integration with Anthropic's Claude Code AI assistant.
Cursor and Windsurf
Modern AI-first IDE coverage.
Gemini Code Assistant
Google's AI code assistant integration.
IntelliJ Junie, Kiro, Codex
Additional AI assistants through MCP support.

Developer workflow integration

Where Guide fits in the AI-augmented developer workflow.

Pre-commit guidance
Component recommendations validated before code is committed.
Policy alignment
AI suggestions align with the customer's authored Lifecycle policy.
Component selection optimization
Guide steers toward secure and reliable component versions automatically.

Where it fits in the stack

How Sonatype Guide connects to the rest of your landscape

AI code assistants (native)

Native

GitHub CopilotMCP-aware integration for pre-commit package recommendations.
Claude CodeAnthropic's MCP-aware Claude Code AI assistant integration.
Cursor, Windsurf, IntelliJ Junie, Kiro, CodexAdditional AI code-assistant coverage through MCP support.
Gemini Code AssistantGoogle AI code-assistant integration.

Sonatype platform (native)

Native

Sonatype LifecycleShared policy plane and component intelligence between Guide and Lifecycle.
Sonatype Nexus One PlatformGuide bundled under Nexus One with Repository, Lifecycle, and SBOM Manager.

Custom integrations

Custom

Internal AI assistantsCustom MCP integration into customer-built AI code assistants.
Custom developer toolsPer-customer MCP integrations for proprietary developer surfaces.
Internal compliance reportingCustomer-specific evidence packages for AI code-assistant compliance audits.

Deployment and implementation

How it rolls out

Hosting: SaaS (Sonatype SaaS)
Implementation complexity: Low
Typical time to value: First AI code-assistant integration in one to two weeks. Full MCP rollout across major developer tools in three to six weeks. Enterprise rollout including custom policy alignment in two to three months.
Prerequisites: AI code-assistant adoption inventory
Sonatype Lifecycle deployment (recommended for shared policy)
Developer rollout plan across teams
Triage operating model for findings
What Merito usually handles: Sonatype Guide deploys as a SaaS MCP server. Developer tools connect over MCP for context retrieval. Merito handles MCP integration with the customer's AI code assistants, Lifecycle policy alignment, and the developer rollout that decides which teams adopt Guide first.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Sonatype Guide is licensed alongside other Sonatype products. Available bundled under Sonatype Nexus One Platform. Pricing not publicly disclosed; sold direct or through Merito. Merito sells the license and scopes MCP integration, AI code-assistant rollout, and Lifecycle policy alignment as separately priced services.
Editions and modules: Sonatype Guide
MCP server with major AI code-assistant compatibility and Sonatype component intelligence delivery.
Best for: Engineering organizations adopting AI code assistants at scale.
Guide bundled with Nexus One Platform
Guide bundled with Repository Pro, Lifecycle, and SBOM Manager under unified platform license.
Best for: Programs consolidating multiple Sonatype products.
Common expansion areas: Add Sonatype Lifecycle for shared policy plane
Move to Nexus One Platform for unified Sonatype product consolidation
Extend MCP integration to additional AI code-assistant tools
Author custom developer tool integrations through MCP

Merito services

How Merito helps you win with Sonatype Guide

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

Guide Implementation

MCP integration with the customer's AI code assistants, Lifecycle policy alignment, and developer rollout planning.

Explore service 02

MAPS Assessment

AI code-assistant program scoping for Guide adoption across major AI tools.

Explore service 03

DevOps Consulting

Guide integration into developer workflows across Copilot, Cursor, Claude Code, Gemini, Windsurf, Junie, Kiro, Codex.

Explore service 04

CRAFT Enablement

Developer-facing AI code-assistant adoption discipline and dependency-safety training.

Explore service 05

Premium Support

Named engineer, priority SLAs, and release-window coverage for Guide in production.

Explore service 06

Managed Services

Long-term run support including ongoing MCP integration maintenance, Lifecycle policy alignment, and AI code-assistant compliance reporting.

Explore service 07

Training and Enablement

Role-based training for engineering and AppSec teams using Guide output.

Explore service

Guide licensing

Buy Guide from the partner that integrates MCP across the customer's AI tools.

AI code-assistant dependency governance happens at suggestion time. Buy Guide through Merito and get the MCP integration, Lifecycle policy alignment, and developer rollout together.

Request Guide pricing

Merito point of view

MCP server architecture is the correct shape for AI code-assistant integration. Pre-commit interception moves further left than scanner-based detection.

AI code assistants generate substantial portions of new code. Programs running scanner-based detection at PR-time or build-gate catch dependency issues after the developer has already chosen the package. Guide intercepts at AI suggestion time, which moves dependency safety further left than scanner-based detection can reach. The architecture matters most for programs with significant AI code-assistant adoption.

MCP server architecture is the correct integration shape. Per-tool custom integration would scale poorly across the rapidly expanding AI tool ecosystem. MCP gives Guide a single integration point that all MCP-aware AI tools can consume. Programs that adopt Guide get coverage across Copilot, Claude Code, Cursor, Gemini, and the rest of the MCP ecosystem without per-tool work.

Programs without significant AI code-assistant adoption get less value from Guide than the marketing implies. Guide is the right product for engineering organizations standardizing on AI-augmented development. Programs in pilot phases or with limited AI tool adoption should sequence other Sonatype products (Lifecycle, Repository) first and add Guide once AI code-assistant usage becomes meaningful.

What buyers usually underestimate

Adopting Guide on programs without significant AI code-assistant adoption
Skipping Lifecycle policy alignment, which leaves Guide operating without customer-specific context
Treating Guide as a complete AI governance solution rather than the dependency-selection layer
Not staffing the developer rollout that aligns AI tool adoption with Guide enablement
Expecting Guide to replace scanner-based detection at PR-time or build-gate

Related from Merito

Continue exploring Sonatype Guide on Merito

Sonatype Guide FAQs

Consultation request

Talk to Merito about Guide

Share your AI code-assistant adoption posture and developer workflow systems. A Merito Sonatype specialist follows up within one business day.

MCP server architecture

Single integration across AI tools

Compatible with Copilot, Claude Code, Cursor, Gemini, Windsurf, Junie, Kiro, and Codex through Model Context Protocol.

Pre-commit safety

Earlier than PR-time scanning

Intercepts AI package recommendations at suggestion time. Steers AI tools toward secure component versions before commit.

Next step

Move dependency safety further left than scanner-based detection can reach.

A Guide engagement with Merito starts with the AI code-assistant adoption inventory, then MCP integration, then Lifecycle policy alignment. Programs with significant AI tool adoption see the most value.

Book a Guide consultation

Sonatype Guide

How it rolls out

Hosting

SaaS (Sonatype SaaS)

Implementation complexity

Low

Typical time to value

First AI code-assistant integration in one to two weeks. Full MCP rollout across major developer tools in three to six weeks. Enterprise rollout including custom policy alignment in two to three months.

Prerequisites

AI code-assistant adoption inventory
Sonatype Lifecycle deployment (recommended for shared policy)
Developer rollout plan across teams
Triage operating model for findings

What Merito usually handles

Sonatype Guide deploys as a SaaS MCP server. Developer tools connect over MCP for context retrieval. Merito handles MCP integration with the customer's AI code assistants, Lifecycle policy alignment, and the developer rollout that decides which teams adopt Guide first.

How it is bought

Model

Subscription

What to expect

Sonatype Guide is licensed alongside other Sonatype products. Available bundled under Sonatype Nexus One Platform. Pricing not publicly disclosed; sold direct or through Merito. Merito sells the license and scopes MCP integration, AI code-assistant rollout, and Lifecycle policy alignment as separately priced services.

Editions and modules

Sonatype Guide
MCP server with major AI code-assistant compatibility and Sonatype component intelligence delivery.
Best for: Engineering organizations adopting AI code assistants at scale.
Guide bundled with Nexus One Platform
Guide bundled with Repository Pro, Lifecycle, and SBOM Manager under unified platform license.
Best for: Programs consolidating multiple Sonatype products.

Common expansion areas

Add Sonatype Lifecycle for shared policy plane
Move to Nexus One Platform for unified Sonatype product consolidation
Extend MCP integration to additional AI code-assistant tools
Author custom developer tool integrations through MCP

Talk to Merito about Guide

Share your AI code-assistant adoption posture and developer workflow systems. A Merito Sonatype specialist follows up within one business day.

MCP server architecture

Single integration across AI tools

Compatible with Copilot, Claude Code, Cursor, Gemini, Windsurf, Junie, Kiro, and Codex through Model Context Protocol.

Pre-commit safety

Earlier than PR-time scanning

Intercepts AI package recommendations at suggestion time. Steers AI tools toward secure component versions before commit.