# Signed Commits

Aikido supports signed commits for both **GitHub** and **GitLab** to ensure the authenticity of code changes. While GitHub requires no configuration, GitLab users must add a specific Aikido-provided SSH key to their profile.

## Why use signed commits?

Signed commits provide a layer of cryptographic assurance, proving that code changes originated from Aikido and haven't been altered. This is essential for:

* **Identity Verification:** Guarantees that the commit was actually made by the authorized service.
* **Trust & Security:** Prevents "commit spoofing" where a malicious actor pretends to be a trusted contributor.
* **Audit Readiness:** Helps satisfy security compliance frameworks like **SOC2**, **ISO 27001**, and **HIPAA**.

## Setup

### GitHub

**No configuration required.** GitHub automatically recognizes and signs commits made via the Aikido integration. These will appear with a **"Verified"** badge in your commit history immediately.

<figure><img src="/files/OeO0VJYKRcENnEHI8ML7" alt=""><figcaption></figcaption></figure>

### GitLab

To enable signed commits on GitLab, you must use **Personal Access Token (PAT)** authentication; this feature is not available via OAuth.

<figure><img src="/files/59nUeSmrFpOfi9wXSPK1" alt=""><figcaption></figcaption></figure>

**Important Note on Users:** GitLab only supports signed commits for **real user accounts**, not service accounts. The PAT used in Aikido must belong to a real user.

Setup steps:

1. **Navigate to Settings:** In Aikido, go to the [**AutoFix settings** page](https://app.aikido.dev/issues/fix/settings) and click **Authorize** (on initial setup) or **Manage Personal Access Token** (when a token is already set).
2. **Configure the PAT:** Enter the Personal Access Token you generated in GitLab's User Settings in Aikido.
3. **Generate SSH Key:** Click **Generate SSH key** within Aikido to create your unique signing key.
4. **Add to GitLab:**
   * Copy the public key provided by Aikido.
   * In GitLab, click the **User icon** on the top right **> Edit profile > SSH Keys > Add new key**
   * Paste the key and ensure the **Usage type** is set to **"Authentication & Signing"**.
5. **Validate:** Return to Aikido and click **Validate SSH key** to confirm the connection is active.

<figure><img src="/files/WFzIg6aZ8nL0rwgBSGlS" alt=""><figcaption></figcaption></figure>

You will now see the `Verified` badge on the commits from Aikido:

<figure><img src="/files/eGTR3uZI1TqfMPTVAyYP" alt=""><figcaption></figcaption></figure>

Aikido creates a unique SSH key for each account, this SSH key can be recreated by clicking `Delete SSH Key` and creating a new key.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/autofix-and-remediation/configure/signed-commits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.