Changelog

Features

• Aikido Zen released for .NET: Aikido’s In-app firewall ‘Zen’ is now available for .NET applications!

• Aikido Zen - CrowdSec integration: Zen now incorporates CrowdSec lists so you can block known threat actors. (PHP support will be added soon.)

• Windsurf IDE integration: You can now install the Aikido IDE plugin for Windsurf to spot issues while coding.

• DORA compliance report: A new compliance report is available, tailored for fintech and banking sector.

Improvements

• Bulk license management: Users can now perform bulk changes to licenses, including marking them as internal or changing risk assessments.

• Aikido Zen - Routes and outbound request monitoring: Zen now allows you to monitor the # of requests on your own routes and outbound connections.

• JavaScript autofix via parent package: You can now autofix JavaScript dependencies through parent packages.

• Bulk assignment of repositories and containers: Assign assets to teams faster by bulk selection.

• GitLab issue labels: Add labels to GitLab issues directly from Aikido.

• SCM connected user offboarding: Admins can now easily offboard users that are connected via SCM platforms (GitHub, Bitbucket, GitLab).

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Aikido Zen released for Java: Aikido’s In-app firewall ‘Zen’ now available for Java applications

• Support for .aikido ignore files: Ignore vulnerabilities by PATH and CVE number with the .aikido file

• SAST Swift support: Swift is now supported by Aikido’s static code scanning

• Generate reports for Auditors: Easily generate reports for compliance auditors from the Aikido reporting page

• CI Scanning includes malware detection: Now scan for malware directly in the Aikido CI (via request only)

• Bitbucket CI: Bitbucket PR checks configurable directly via Aikido UI

Improvements

• DAST: Authentication on the REST API is now possible via oAuthV2 client credentials flow.

• UI/UX:

  • Option to IP lock the Aikido Dashboard (via request only)

  • Bulk activate/deactivate repositories in the repo settings

  • Incident filters on the Aikido dashboard are now stored in URL allowing them to be easily shared

• API:

  • Manage domains with support for ‘create’, ‘remove’, and ‘list’ domains

  • Manage team members with the ability to ‘add’ and ‘remove’ users from the team via the API

• Reporting: Spanish ENS compliance reporting has been added to the Aikido reports page

Vulnerability Database

Our research team has discovered 25 new vulnerabilities over the last two weeks!

Features

• Aikido Intel’s reporting now open-sourced: You can contribute directly to Aikido Intel feed via the public GitHub repo

• Zen now supports bot blocking: You can now block bot users such as AI scrapers, AI search crawlers, Archivers and more with Zen

• GitLab CI checks from Aikido dashboard: Now setup GitLab CI checks directly via the Aikido Dashboard (GitLab Cloud only)

Improvements

• Containers: Now perform bulk actions on container vulnerabilities from settings page

• Open-source security: Support for text-based bun lockfiles

• License risks: 114,000 package licenses that were previously unknown licenses added

• Auto-fix: Support for requirements.in with Aikido auto-fix

• Open-source License risk: You can now see license risk scoring within the Aikido dashboard

Vulnerability Database

Our research team has discovered over 14 new vulnerabilities over the last two weeks!

Features

• Interact with issues from Slack: Users can view/snooze/ignore/solve all issues from within Slack (by request only)

• DAST IP Address Control: You can choose to scan your application with EU or US IP addresses

• Integrations

  • Native Integration with Leen.dev security connector

  • Drata Integration improved to include support for HIPAA framework

Improvements

• SAST: New rules for GitHub actions to target dangerous exploits

• User Experience Improvements:

  • New Autofix link added to sidebar

  • Ability for Admins to delete notes

  • View CI scan history via the reporting page

• DAST:

  • New rules for REST API/GRAPHQL scanning created

  • Set scan frequency for REST API/GRAPHQL scanning

  • Added routes tab in domain information for REST API scanning

Vulnerability Database

Our research team has discovered over 35 new vulnerabilities over the last two weeks!

Features

• API Scanning: Our DAST API scanner for REST and GraphQL APIs has arrived.

Improvements

• Virtual Machines can now be configured for mixed clouds (denoises your results & lowers scanning frequency)

• Our public API can now return activity log items

• You can now sync SLA dates to Jira due dates

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Autofix SAST: Now preview or auto-generate a pull request with code fixes for discovered SAST and IaC vulnerabilities

• GDPR report: Generate reports for GDPR compliance

• SAST for Elixir: You can now find code vulnerabilities in Elixir projects with Aikido SAST

• Add local repos to workspace: You can now add your locally scanned repos to an existing workspace (Enabled by request)

Improvements

• Status filter: Ability to filter issues on the main feed by item Status for improved task management

Vulnerability Database

Our research team has discovered over 61 new vulnerabilities over the last two weeks!

Features

• CLI based release gating: Aikido CLI now supports release gating based on security checks

• Enriched Pull Requests: More detailed PR decoration with Aikido Autofix for, BitBucket and GitLab

Improvements

• Dashboard sidebar redesigned for improved user experience

• End of Life issue detection support added for .NET projects

Vulnerability Database

Our research team has discovered over 32 new vulnerabilities including 8 Critical and 6 High over the last two weeks!

Features

• HiTrust Compliance: You can generate a Level 3 HiTrust compliance report from Aikido’s reports page

Improvements

• Feed: Option to filter issues by severity

• Secret Scanning: Secrets scanning added for BitBucket pipelines

• SCA:

  • Support added for RUST cargo.toml file

  • Autofix now connects to private package managers through secure environment variables.

  • Yarn 4 package manager now supported for Autofix

• End of Life (EOL): Support added for Azure AKS, AWS EKS, kubernetes on GCP

• User Settings

  • Admin users can now disable/enable auto onboarding in settings/users

  • Added toggles to control default permissions of new users

• Integrations: Users can now see and enable extra unmapped SonarQube rules

• Public API:

  • Support for (un)linking assets (repos, clouds,…) to a team

  • Support for obtaining counts of a single issues

  • Reachability status for single issue added

  • Support for creating custom SAST rules (detail, add, edit, delete) through API

Features

• In-app firewall Zen launched for Python - Zen now supports Python and is compatible with Django, Flask, Quart, and Starlette. It automatically blocks critical injection attacks, adds API rate limiting, and more.

• Dependency Autofix PRs- Aikido can now automatically create daily pull requests for bulk dependency upgrades

• Native Thoropass integration - Aikido can now automatically push compliance checks as evidence into Thoropass

Improvements

• SAST: DART added as a supported language for Aikido SAST

• Reporting: Trends over time report adjustable by timeframe

• Domains: Updated Domains page to show solved issues

• Task Tracker: Auto creation of tasks based on severity and issue

• Local scanning: Added support for uv.lock files for dependency scanners

• APIs: Unsnooze / unignore group/individual issues

• GitLab CI: Secrets scanning now supported

• SCA: Support for build.gradle

• Zen: Now easily autogenerate OpenAPI specification

Vulnerability Database

Our research team has discovered over 28 new vulnerabilities over the last two weeks including 3 Critical and 3 High!

Features

🚀 HIPAA reporting: You can now generate a HIPAA compliance report directly from the Aikido reports tab

🚀 CI Scan History: View the Pull Request history for CI scans in all your integrated CI clients

Improvements

• Issues in Vanta now mapped to container images

• Multiple tags and labels supported for Jira / Linear tickets

• Compliance reporting is grouped per measure providing more visibility in overall compliance

Vulnerability Database

Our research team has discovered over 26 new vulnerabilities over the last two weeks!

New Features

🚀 Path-based responsibility for teams within a repository.

Teams can separate responsibility within a code repo based on path allowing more control for mono-repos.

✅ Default CI configuration added for new repositories

Enable default CI configurations for all new repositories to prevent missed scans.

Improvements & bug fixes

• Get firewall Slack notifications during attacks with Aikidos in app firewall Zen.

• Clojure was added to supported languages for SCA.

• PR scan history included in scan history page for local scanning.

• Team-only users now have access to stats in the feed and ignored pages.

Vulnerability Database

Our research team has discovered over 12 new vulnerabilities over the last two weeks!

New Features

🚀  Agentless Virtual Machine scanning in AWS (docs)
Aikido can now scan your AWS EC2 instances for vulnerabilities. We're stoked to be launching this new feature! Some competitors call this cloud workload protection (CWP), some "sidescanning",... We decided to call it by what it is & actually does: Agentless Virtual Machine scanning. Get 100% coverage, from code to cloud, without any agents. Contact us if you'd like to have access to this feature.

🚀  Aikido is now integrated into Vanta’s Vulnerability Page (vanta’s docs)
Vanta now pulls in Aikido’s vulnerabilities directly into their vulnerability page. This allows you to manage your SLAs for multiple security tools directly in Vanta. The page in Vanta provides a high-level overview of all the detected, remediated, or ignored vulnerabilities on all your servers and containers.

Improvements & bug fixes

• Virtual Machine scanning: You can now set the purpose of the environment, so Aikido can better process results.

• Firewall: You can now configure an IP allowlist on routes, this helps to ensure admin APIs are only accessible from your office or company VPN.

• CI/CD Integration: We now display the CI scan history in the UI, so you can see which scans passed or failed & explore the details. (go to app)

• Local Scanner: We now support image PR gating

• Reporting: You can now check how you do on PCI compliance (check the report)

• SAML: Aikido now auto-creates teams when there’s no teams configured yet

• Autofix: We now support private nuget/NPM registries (docs)

• You can now set your preferred scanning frequency (if you’re on a paid plan)

Vulnerability Database

Our research team has discovered over 20 new vulnerabilities over the last two weeks! (vulnerability database)

New Features

🚀 JetBrains IDE plugins (docs / JetBrains Marketplace)
We’ve released our JetBrains IDE plugin. (Supporting GoLand, IntelliJ IDEA, PhpStorm, PyCharm, Rider, WebStorm) Scan your codebase for secrets, API keys and SAST code issues, while coding!

🚀 Access Controls for GitLab
Aikido can now check for critical access control issues. (Think of multi-factor authentication, restricting default access rights, requiring mandatory code reviews,...) This way, you can ensure that only authorized and verified changes are made to your codebase.

Improvements & bug fixes

• Autofix: Now supports ruby on rails

• Dependency scanning: Broader coverage C++/CPP

• Firewall (GitHub)

  • The firewall overview page has been redesigned

  • You can now manage the firewall app via API. Helpful when you have 100s of apps that you want to add!

  • You can now set your app’s environment (staging/dev/prod)

  • Firewall can now recognize and index graphQL operations

• SAML: You can now sync rights & teams directly to Aikido.

• Domains: You can now adapt linked assets (container/repo) when editing a domain

• Local Scanner:

  • PR scanning support has arrived! You can now do both PR gating and release gating.

  • Support for lockfile-less C++ added

• Domains (Dynamic testing): You can now edit linked assets (repo/container) while editing a domain.

• Tines Marketplace Integration: We’ve created pre-built stories on the Tines marketplace, making integration with tines dead-simple.

Vulnerability Database

Our research team has discovered over 10 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Sprinto integration (integration details)
Aikido now supports Sprinto, so you can automate your technical vulnerability management reporting.

🚀 Extended coverage for secret liveness detection (docs)
Aikido is now able to check for many different new types of secrets if they are live: Slack tokens, GitLab PAT, Hubspot tokens and many more...

Improvements & bug fixes

• SBOMs: You can now also export your SBOM in SPDX format.

• Firewall: We now support the Micro framework (see docs)

• Issue types filters: It’s now possible to multi select filters. (in the feed and the ignored issues view)

• Azure DevOps: You can now add trusted domains to allow auto-onboarding. (see docs)

Vulnerability Database

Our research team has discovered over 22 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Secrets liveness detection (docs)
Aikido now checks if exposed secrets are still active and assesses their potential risks. Issue's severity is adapted based on this information. (Think of GitHub Access Tokens, Sendgrid tokens, Stripe tokens, slack tokens,…) Aikido filters the noise in detected secrets even better than before!

🚀 GitHub access control checks (docs)
Aikido can now check for critical access control issues. (Think of multi-factor authentication, restricting default access rights, requiring mandatory code reviews,...) This way, you can ensure that only authorized and verified changes are made to your codebase.

Improvements & bug fixes

• SLAs: Aikido can now automatically create tasks for issues that go out of SLA (ask us for access to this feature via in-app chat)

• Firewall:

  • We added blocking/nonblocking mode in the UI

  • SSRF protection: blocks SSRF attacks by intercepting and validating requests to internal services.

• Dependency scanning: Support for deno.lock (for JS) (check lockfile support in docs)

• Feed: When you hover over the toggles you now get a detailed view on how Aikido has refined the findings.

  

• SAML: We now support SAML via Google Workspace! (docs)

• Jira integration: You’re now able to map severities to their correlating priorities in Jira

Vulnerability Database

• Our research team has discovered over 31 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Firewall
We've added rate limiting for Next.js! Protect against excessive traffic & attacks by limiting the number of requests from a single source.

🚀 Detect secrets in PRs (GitHub checks & Azure Checks)
Enable Aikido's CI Gating for GitHub checks or Azure checks to detect secrets in PRs. Make sure no secrets get pushed live.

Improvements & bug fixes

• CI Gating - GitHub checks & Azure Checks: Snooze/unsnooze results in PR becoming green/red instantly

• Container image scanning: Nexus container registry is now supported (docs)

• Autofix:

  • Support added for autofixing Java dependencies (docs)

  • GitHub autofix: We now autoclose old PRs when new ones are created for the same lockfile

• Dependency scanning: Support for Conda requirements.yml (Python)

• SAML: 3-Legged OAuth2 flow support added (see apidocs)

Vulnerability Database

Our research team has discovered over 14 new vulnerabilities over the last two weeks! (check out our vulnerability database)

Features

🚀 Authorized DAST launched
You can now check if logged in users could break your application or access sensitive data. (docs)

🚀 GitLab Self-Managed Issues
You can now create issues in your GitLab server, directly from Aikido.

🚀 SAML support
Single sign-on (SSO) like Okta, is now supported. (docs)

Improvements

• Local scanner v1.0.2:

  • Yarn lockfiles using package manager specs in their versions are now supported

  • There’s a new --exclude option, so you can exclude certain paths from being scanned.

  • Secret detection is now supported

• Firewall:

  • Now compatible with Next.js

  • Rate limiting by API route possible in the Aikido UI

  • Rate limiting for wildcards now available

• Dev dependencies support for JS & Python (Contact us to enable this feature)

• Autofix: We now support .NET

• Trends over time: New graph added: “New & Handled Issues”, see how many issues were handled (solved/ignored). (check it out in-app)

• Azure DevOps: Multi-branch scanning is now available

• Azure Pipelines CI: PR checks now possible (docs)

• Public API: You can now also delete teams (docs)

• User management: You can now invite users to join a workspace via Gmail, Microsoft Login or Personal GitHub accounts (docs)

New features

🚀 Bulk autofix
It’s now possible to fix vulnerabilities by upgrading dependencies, in bulk. (check it out in-app)

🚀 GitHub PR Checks
You can now configure PR checks directly in Aikido, no code needed. Configure repos in bulk, roll them out automatically and save costs (CI minutes) too! (go to docs)

🚀 Wordpress vulnerability detection
Aikido now detects vulnerabilities inside of your Wordpress instance & its plugins! We’re using Wordfence’s database (A vuln feed that Trivy doesn’t support natively) under the hood. 🙏

Improvements & bug fixes

• Visual Studio Code IDE integration: You can now report false positives & false negatives (undetected issues) to Aikido, straight from your IDE! (check out the plugin)

• Aikido Vulnerability Database: We gave the website a small facelift 😉

• Public API: Single issue detail now exposes more issue type specific fields. Giving you more detail when needed! (go to docs)

• Public API: You can now adjust issue severity, listing of users in a team and snooze/ignore single issues

• Aikido Firewall: You can now identify users and block them when you notice suspicious behavior.

• Azure Boards: You can now specify the work item in which an issue should be created.

• Azure Boards: You can now assign tickets to specific Azure Boards teams, directly in Aikido.

• Azure DevOps: Autofix support has arrived! (go to docs)

New features

🚀 IDE Plugin for Visual Studio Code
We’ve launched the first version of our IDE plugin! Now you can help your developers spot vulnerabilities early & fix them before they commit. (integration details)

🚀 Asana
Using Asana for coordinating your team’s tasks? Time to connect it to Aikido! (integration details)

🚀 Help center platform update:
We now run on Outverse instead of Intercom. Way more easy to navigate, more dev friendly and a search that works very well. And also, dark mode. 🌓

Improvements & bug fixes

• Licenses report: We’ve launched multi-select filters (languages, repos, containers) that allow you to filter and drill down to the level of detail you’d like to see. These filters work for exports too! (check it out in-app)

• Linear integration: You can now indicate which labels should be added to issues by default.

• Linear integration: Aikido severities are now mapped to Linear issue priorities.

• ClickUp integration: Aikido severities are now mapped to ClickUp task priorities

• Aikido Local Scanner: Repo gating is now possible for the Aikido local scanner! (check the docs)

• Teams: You can now link teams directly to containers instead of workaround via repos.

• User Access Rights: Team only users can now resolve and unresolve secrets

New features

🚀 Task manager integrations improvements:

• You can now link existing Jira data center issues or GitHub issues to Aikido issues.

• When sending an issue to Jira, we now share more detailed information about the filename in the description.

Improvements & bug fixes

• License reports: We’ve added a team and license type filter to our license reports!

• Onboarding: We’ve improved the user interface for repo selection during onboarding. Making onboarding even faster.

• Aikido Firewall: You can now see a list of all outbound domains and API endpoints.

• Slack integration: We now post the issue type to slack as well.

• Local scanner: We’ve added release gating. Set it up by configuring the container image scanner to ‘fail on’ the severity level of your choice (read the docs)

• Surface monitoring (DAST): You can now choose to scan daily/weekly or on-demand for Nuclei domains.

• Container image scanning: You can now configure multi-tag container scanning for public images