Try Bifrost Enterprise free for 14 days. Request access

AI Coding Agent Security: Governing Cursor, Claude Code, and Copilot

AI Coding Agent Security: Governing Cursor, Claude Code, and Copilot
AI coding agent security means governing what Cursor, Claude Code, and Copilot send to providers. Bifrost enforces that policy at the gateway and every machine.

A 2025 GitGuardian study found that public repositories with GitHub Copilot active leaked secrets at a 6.4% rate, roughly 40% higher than the 4.6% baseline across all public repositories (GitGuardian). As Cursor, Claude Code, and Copilot become standard developer tooling, AI coding agent security has become an infrastructure problem: these agents read source code, environment variables, and credentials, then send that context to external model providers, usually with no policy layer in between. Bifrost, the open-source AI gateway built in Go by Maxim AI, is built for enterprises that need to route, govern, and secure this traffic across every model and every machine. This post covers how to govern coding agents at the gateway, then how to extend that governance to the endpoint with Bifrost Edge.

Why AI Coding Agent Security Is Different

AI coding agent security is the practice of controlling what data coding assistants send to model providers, which tools they can invoke, and who can use them, enforced through policy rather than developer discipline. It differs from traditional application security because the sensitive data leaves through a prompt, not through a code path a scanner can inspect.

Coding agents concentrate several risks that the OWASP Top 10 for LLM Applications tracks separately:

  • Sensitive information disclosure (LLM02): agents pull source code, .env files, and credentials into prompt context, where that data can be logged, retained, or exposed.
  • Supply chain and tool risk (LLM03): agents connect to Model Context Protocol (MCP) servers that can read files, call APIs, and execute commands.
  • Excessive agency (LLM06): terminal agents run with the developer's own permissions, so a single bad instruction can modify files or run commands across the environment.

The core problem is structural. Coding agents are usually adopted bottom-up, installed per developer and pointed straight at a provider API. Security teams inherit the exposure without the visibility, which is why coding agent security has to be handled as a governance problem rather than a per-developer setting.

The Shadow AI Problem in Engineering Teams

Shadow AI is the ungoverned AI usage that never gets routed through a policy layer. In engineering, it looks like Cursor, Claude Code, and Copilot running on individual laptops, each sending code and context to a model provider with no shared budget, no audit trail, and no guardrails. Bifrost treats this as a governance problem: a gateway only governs the traffic that is configured to flow through it, and most coding agent traffic never is.

MCP servers widen the gap. Agents increasingly wire in external tools, and most organizations have no inventory of which servers are connected or what they can reach. Security researchers at Adversa AI documented a class of flaws they call "TrustFall," in which cloned repositories cause coding agents including Claude Code, Cursor, and Copilot CLI to auto-execute project-defined MCP servers, turning a single trust prompt into remote code execution (Adversa AI). Governing the model traffic an agent sends and the MCP servers it connects to is the same problem, and it needs one control plane.

Governing Coding Agents at the Gateway

Bifrost is the control plane for coding agent traffic. It exposes OpenAI-, Anthropic-, and Gemini-compatible endpoints, so a coding agent points at Bifrost instead of a provider, and every request inherits the organization's policies before it reaches a model.

Routing agents through the gateway is a base-URL change:

  • Claude Code authenticates with a Bifrost virtual key set as its auth token, with no separate provider account login required.
  • Cursor connects by overriding its OpenAI base URL and supplying a virtual key, which gives it access to any configured provider plus governance.
  • Other terminal agents follow the same pattern, so a team standardizes on one endpoint instead of a different configuration per tool.

Once traffic flows through the gateway, the governance layer applies. Virtual keys are the primary control: each key carries model and provider access rules, per-key budgets, and token and request rate limits, and can be deactivated instantly. That gives platform teams per-developer and per-team spend control and a way to revoke access without rotating provider credentials.

Security controls run in the same request path:

  • Guardrails evaluate every prompt and response, with native secrets detection (Gitleaks-backed) and a PII detection template that catch credentials and personal data before they leave the request.
  • Additional guardrail providers include AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI.
  • Audit logs record administrative activity as signed, exportable events that support SOC 2, GDPR, HIPAA, and ISO 27001 reviews.

This covers every coding agent that a developer configures to use the gateway. The harder question is the traffic no one configured.

Extending Governance to Every Machine with Bifrost Edge

The gateway governs configured traffic; Bifrost Edge extends that same governance to the endpoint. Edge runs on each machine and routes all AI traffic through the organization's Bifrost automatically, so the virtual keys, budgets, guardrails, and audit logs already configured at the gateway now apply to the AI developers actually use, not just the traffic that happened to be pointed at it. Edge is currently in alpha.

Edge closes the shadow AI gap for coding agents in three ways:

  • App governance: administrators decide which AI applications are allowed, and Edge enforces that decision on each device. Allowed apps run normally under governance; disallowed apps are blocked before data leaves the machine.
  • MCP governance: Edge inventories the MCP servers configured inside each AI app across the fleet, then enforces per-server allow and deny decisions on the device, so a denied server cannot be used even by an app that had it configured before the policy existed. Discovery covers the major agents today, including Claude Code, Cursor, Codex, and Gemini CLI.
  • Guardrails everywhere: because Edge routes endpoint traffic through Bifrost, the guardrails configured at the gateway apply to prompts and responses from desktop apps, browser AI, and coding agents, with nothing extra to install on the device.

Edge governs the coding agents teams run today, including Cursor, Claude Code, and Codex, and its supported-application list continues to expand. Because governance follows the user instead of waiting for opt-in, it reaches the ungoverned usage that a gateway alone cannot see.

Building a Coding Agent Security Policy

A workable coding agent security policy moves from visibility to enforcement in a defined order:

  1. Inventory which coding agents and MCP servers exist across developer machines.
  2. Route agent model traffic through the gateway with per-developer virtual keys.
  3. Apply guardrails for secrets and PII so credentials cannot leave in a prompt.
  4. Allow or deny apps and MCP servers centrally, enforced on the device.
  5. Roll out fleet-wide through an existing device management platform, and audit continuously.

Can a general-purpose API gateway govern coding agents?

Not on its own. A standard API gateway authorizes HTTP traffic, but it cannot inspect prompt content for secrets, apply model and budget policy per developer, or authorize MCP tool calls, which carry their own method semantics. Coding agent governance needs a control plane that understands AI traffic.

How do you stop secrets from leaking through coding agents?

Route agent traffic through a gateway that runs secrets detection on every request, so API keys and credentials are caught before they reach a provider, then pair that with app and MCP policy so ungoverned tools cannot bypass it.

How do you get visibility into MCP servers on developer machines?

Endpoint governance builds a fleet-wide MCP inventory by reading the configuration of each supported AI app, then lets administrators allow or deny each server centrally and enforce the decision on the device.

For regulated industries and strict enterprise requirements, Bifrost Enterprise adds RBAC, SSO and OIDC, clustering, and in-VPC and air-gapped deployment, and Bifrost Edge rolls out silently through Jamf, Intune, Kandji, Workspace ONE, and JumpCloud via managed MDM configuration. The LLM Gateway Buyer's Guide gives a capability matrix for evaluating this against other approaches.

Getting Started with Bifrost

AI coding agent security is achievable when the same policies govern both the traffic developers configure and the traffic they do not. Bifrost provides the control plane for coding agents at the gateway, and Bifrost Edge extends that governance to every machine, so Cursor, Claude Code, and other agents run under one set of controls for budgets, guardrails, and audit. Review the governance resources to see how the pieces fit, or book a demo with the Bifrost team to plan a rollout across your fleet.