Ctrlk
Changelog NotificationsAPIAikido login

OpenAI Codex CLI MCP

The Aikido MCP Plugin connects Aikido’s security engine to AI coding tools. It automatically scans AI generated code for vulnerabilities and hardcoded secrets as soon as it is created.

AI assistants can review their own output, but that review is not perfect. Aikido adds a reliable and consistent security layer that checks every generated snippet with proven scanning rules.

Why use Aikido MCP

  • Deterministic, independent security checks on every AI generated snippet before it is committed

  • Immediate detection and remediation of vulnerabilities and hardcoded secrets in AI assisted workflows

  • Real time feedback, making AI driven development safer by default

  • aikido_full_scan: Scans local code files for vulnerabilities (SAST) and hardcoded secrets.

  • aikido_issues_list: Fetches security issues from your Aikido feed.

    • Filter by one scope: repo_name, cloud_name, vm_name, domain_name, or container_name

    • Pick one or more issue types: sast, leaked_secret, iac, open_source, cloud, cloud_instance, docker_container, malware, eol, mobile, surface_monitoring, scm_security, license, ai_pentest

    • Returns each issue with title, type, severity, and remediation steps

Installation

1

Create a personal access token

In Aikido, go to Settings → Integrations → IDE → MCP

Create a Personal Access Token.

2

Install the Aikido MCP server

codex mcp add aikido \
  --env AIKIDO_API_KEY=YOUR_TOKEN \
  -- npx -y @aikidosec/mcp

Replace YOUR_TOKEN with the token from the previous step.

3

Add the Aikido rule to Global AGENTS file

Create the codex directory if it doesn't exist yet.

mkdir -p ~/.codex/skills

Download the Aikido rule and add it to ~/.codex/skills/aikido-rule.txt.

curl -fsSL "https://gist.githubusercontent.com/kidk/aa48cad6db80ba4a38493016aae67712/raw/3644397b7df43423e3da06434491b40bbb79dd47/aikido-rule.txt" \
  -o ~/.codex/skills/aikido-rule.txt
4

Finished

Aikido MCP is now available in Codex CLI.

Restart Codex CLI if it was open.

Scanning code

  • "Use Aikido to scan this file for security issues"

  • "Run an Aikido scan on my staged changes to check for secrets before I commit"

  • "Scan the files I just edited with Aikido and link them to the payments-api repo"

Reviewing issues by repo

  • "Show me all critical Aikido issues in payments-api"

  • "List any leaked secrets in frontend-web from Aikido"

  • "What open source vulnerabilities does Aikido see in api-gateway?"

  • "Show SAST and IaC issues in infra-core from Aikido"

Reviewing issues by cloud, VM, or container

  • "List all Aikido cloud issues in prod-aws"

  • "Show malware findings on web-server-01 from Aikido"

  • "What end-of-life software is running in the nginx-proxy container per Aikido?"

  • "Show me surface monitoring issues for example.com in Aikido"

Combined workflows

  • "Use Aikido to scan my current changes, then show existing critical issues in the same repo"

  • "Check this PR with Aikido and compare against open SAST issues in the repo"

Last updated

Was this helpful?