Allowing IP Addresses on Private Package Repositories

If your private package repository only allows specific static IP addresses to access your packages, you will have to allowlist Aikido's IP addresses before you can create an AutoFix. Add the following IPs:

EU-based IP addresses (default region):

• 52.214.244.18

• 18.202.209.180

• 52.50.198.227

• 52.51.98.186

US-based IP addresses:

• 3.211.221.73

• 54.163.131.24

• 54.225.143.47

ME-based IP addresses:

• 3.29.13.194

• 40.172.18.244

• 40.172.67.79

After adding the IPs, retrigger your Autofix to confirm connectivity.

Third party provider instructions

For instructions on whitelisting IP addresses with third-party providers, refer to the following resources:

• Cloudflare WAF

  • Cloudflare Turnstile does not support allowlisting specific client IP addresses. If you need to bypass Turnstile for Aikido scanning traffic, you must do it in your application code. We recommend bypassing only when both conditions are true:

    1. The request originates from an Aikido IP range

    2. The request includes the aikido User Agent in headers as described above

• Azure WAF

• AWS WAF.

  • For WAFs behind Application Load Balancers or CloudFront, your WAF should check the last IP address in the X-Forwarded-For header.

• Vercel WAF

  • Use the "bypass" action for trusted IPs