# Github Copilot The Aikido MCP Plugin connects Aikido’s security engine to AI coding tools. It automatically scans AI generated code for vulnerabilities and hardcoded secrets as soon as it is created. AI assistants can review their own output, but that review is not perfect. Aikido adds a reliable and consistent security layer that checks every generated snippet with proven scanning rules. **Why use Aikido MCP** * Deterministic, independent security checks on every AI generated snippet before it is committed * Immediate detection and remediation of vulnerabilities and hardcoded secrets in AI assisted workflows * Real time feedback, making AI driven development safer by default * **aikido\_full\_scan**: Scans local code files for vulnerabilities (SAST) and hardcoded secrets. * **aikido\_issues\_list**: Fetches security issues from your Aikido feed. * **Filter by one scope:** repo\_name, cloud\_name, vm\_name, domain\_name, or container\_name * **Pick one or more issue types:** sast, leaked\_secret, iac, open\_source, cloud, cloud\_instance, docker\_container, malware, eol, mobile, surface\_monitoring, scm\_security, license, ai\_pentest * **Returns each issue** with title, type, severity, and remediation steps ## Installation ### IDE The Aikido VSCode IDE plugin uses [Expansion Packs](/ai-and-dev-tools/ide-plugins-overview/features/aikido-expansion-packs.md) to provide additional features. The Aikido MCP for Github Copilot is one of these Expansion Packs, making installation simple and fast without a separate setup process. See the linked page below for instructions on how to enable it. {% content-ref url="/pages/mgd9l65M1Oa5zH7GUy7e" %} [VS Code IDE](/ai-and-dev-tools/ide-plugins-overview/vs-code-plugin.md) {% endcontent-ref %} ### Integration with Copilot IDE plugins {% stepper %} {% step %} **Create an Aikido MCP token** In Aikido, go to [MCP Integration page](https://app.aikido.dev/settings/integrations/ide/mcp) and create a Personal Access Token. {% endstep %} {% step %} **Add the MCP configuration in your IDE settings** Go to Github Copilot plugin settings and open the `mcp.json` file. Add the Aikido server and don't forget to replace the value of `AIKIDO_API_KEY` ```json { "servers": { "aikido": { "command": "npx", "args": ["-y", "@aikidosec/mcp"], "env": { "AIKIDO_API_KEY": "MCP_AIKIDO_API_KEY" } } } } ``` {% endstep %} {% step %} **Add custom prompt instructions** Add an instruction to your `AGENTS.md` file or custom instructions to tell agent to use the new tooling. ``` Scan any new or modified code with `aikido_full_scan` before finalizing changes. This security check is required. ``` {% endstep %} {% endstepper %} ### Integration with Copilot Cloud Agents GitHub Copilot coding agent can call tools from MCP servers while it runs. Follow the steps below to set up Aikido MCP for your repository. Configuration is done per repository. If you already use Aikido MCP in VS Code, [you can reuse that configuration](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#reusing-your-mcp-configuration-from-visual-studio-code) and only add the token in your repository settings. #### Set-up Instructions {% hint style="info" %} For the full GitHub flow (where to paste JSON, how validation works, and how Copilot environments expose secrets), [check out GitHub’s guide](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp). {% endhint %} {% stepper %} {% step %} **Create an Aikido MCP token** In Aikido, go to [MCP Integration page](https://app.aikido.dev/settings/integrations/ide/mcp) and create a Personal Access Token. {% endstep %} {% step %} **Add the MCP configuration in your repo settings** In your GitHub repository, go to Settings → Copilot → Coding agent and paste an MCP JSON config. Example configuration for Aikido MCP (local/stdio via npx): {% tabs %} {% tab title="Copilot Cloud Agent" %} ```json { "mcpServers": { "aikido": { "type": "stdio", "command": "npx", "args": ["-y", "@aikidosec/mcp"], "tools": ["aikido_full_scan", "aikido_sast_scan", "aikido_secrets_scan"], "env": { "AIKIDO_API_KEY": "COPILOT_MCP_AIKIDO_API_KEY" } } } } ``` {% endtab %} {% endtabs %} {% endstep %} {% step %} **Add the token to your Copilot environment** Github Copilot only exposes secrets/variables to MCP config if their names start with `COPILOT_MCP_` Create a secret like: `COPILOT_MCP_AIKIDO_API_KEY` = your Aikido token {% endstep %} {% step %} **Add the MCP configuration in your repo settings** In your GitHub repository, go to Settings → Copilot → Coding agent and paste an MCP JSON config. Example configuration for Aikido MCP (local/stdio via npx): {% tabs %} {% tab title="Copilot Cloud Agent" %} ```json { "mcpServers": { "aikido": { "type": "stdio", "command": "npx", "args": ["-y", "@aikidosec/mcp"], "tools": ["aikido_full_scan", "aikido_sast_scan", "aikido_secrets_scan"], "env": { "AIKIDO_API_KEY": "COPILOT_MCP_AIKIDO_API_KEY" } } } } ``` {% endtab %} {% endtabs %} {% endstep %} {% step %} **Add custom prompt instructions** To ensure GitHub Copilot uses the MCP server, configure repository instructions as [described in the GitHub guide](https://docs.github.com/en/copilot/how-tos/configure-custom-instructions/add-repository-instructions). Add an instruction such as: ``` Scan any new or modified code with `aikido_full_scan` before finalizing changes. This security check is required. ``` {% endstep %} {% step %} **Validate** You can now [verify your configuration](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp#validating-your-mcp-configuration) by asking Copilot to security scan one of your files. {% endstep %} {% endstepper %} **Scanning code** * "Use Aikido to scan this file for security issues" * "Run an Aikido scan on my staged changes to check for secrets before I commit" * "Scan the files I just edited with Aikido and link them to the `payments-api` repo" **Reviewing issues by repo** * "Show me all critical Aikido issues in `payments-api`" * "List any leaked secrets in `frontend-web` from Aikido" * "What open source vulnerabilities does Aikido see in `api-gateway`?" * "Show SAST and IaC issues in `infra-core` from Aikido" **Reviewing issues by cloud, VM, or container** * "List all Aikido cloud issues in `prod-aws`" * "Show malware findings on `web-server-01` from Aikido" * "What end-of-life software is running in the `nginx-proxy` container per Aikido?" * "Show me surface monitoring issues for `example.com` in Aikido" **Combined workflows** * "Use Aikido to scan my current changes, then show existing critical issues in the same repo" * "Check this PR with Aikido and compare against open SAST issues in the repo" --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/ai-and-dev-tools/aikido-mcp/github-copilot.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.