Changelog

Features

• Zen Firewall: Zen Firewall (runtime protection) is now available for everyone 🥳 Use Zen to block 0-days, stop bots, rate limit sensitive endpoints, discover API’s and much more.

• IDE Plugins now available for basic plans - Secure your code as its written. Get security insights and fixes, directly in your IDE with Aikido IDE plugins available for VSCode, Visual Studio, Jetbrains IDE’s, Cursor and Windsurf.

• AI Autotriage in Pull Requests - Aikido will know further reduce noise by 60% within your PR’s. For more information about Autotriage, check out our latest blogpost.

• EPSS (Exploit Prediction Scoring System) based prioritisation is now available to further reduce noise and to guided your team towards the most critical issues.

Aikido Intel - Malware & Vulnerability Database

Our research team has discovered 32 vulnerabilities over the last two weeks! Including another NPM package supply chain attack in rand-user-agent, for more info and a detailed breakdown check out our blog.

Improvements

• General - Trends over time now has a open vs handled tab

• Scanning improvements - Added PyPi malware predictions

• Scanning improvements - Aikido will find additional vulnerabilities in javascript peer dependencies, improved support for uv.lock, and many other small improvements.

• CI Gating - Sidebar now shows who ignored or snoozed an issue

• IDE - VSCode 1.0.29 & 1.0.28 & 1.0.27

  • Improved secrets detection

  • Fixes issues with sast scanning for go, c and ruby

• IDE - Visual Studio 1.0.3 - Improvements to UI, secret detection, and scanning

• Domains & API’s - Support for Amazon Cognito authentication

• Domains & API’s - Improvements to screenshot and accessibility checks

• Zen Firewall - Zen for Java v1.1.1

• Zen Firewall - Zen for Python v1.1.9

• Zen Firewall - Zen for Dotnet v1.2.9

• Zen Firewall - Supports blocking Whatsapp (preview), Claude and MistralAI bots

• Zen Firewall - You can now block a user in Zen straight from the attack overview

• Zen Firewall - View the route spec (payload and other parameters) detected by Zen by clicking on the actions menu on a specific route and selecting “View Spec”.

• API - Manage private registry connections

• API - Zen allow blocking of malicious users through API

Features

• Customize Autofix PR’s - Configure the pull request title, prefix, label, commit message, and summary to adapt Aikido to your needs.

• Front-End Library Detection: Aikido will now detect and alert on CVE’s within your website. so you get full coverage of your dependencies without the need for repository scanning.

• Zen Firewall Outbound alerting allows you to get notified when new outbound connections are detected from your applications to stop data leaks and other malicious traffic.

Aikido Intel - Malware & Vulnerability Database

Our research team has discovered over 36 the last two weeks! Including a critical XRP supply chain attack.

Improvements

• General - Settings/Advanced: allows to ignore entire secret history

• Autofix - Parent package updates for .NET

• Scanning improvements - SQL injection for C/C++

• Scanning improvements - Python rule for unsecured http calls

• Scanning improvements - Rust rule for insecure jwt

• Domains & API’s - API Payload Customization: It's now possible to both visualize and edit the sample data on swagger level to increase the reach of Aikido API scanning.

• Domains & API’s - API fuzzer: we now show request headers as well in the request logs

• Domains & API’s - Frontend domains; you can now also set the frequency

• Zen Firewall - Sink stats

• Zen Firewall - Python 1.1.8

• Zen Firewall - NodeJS release 1.6.21

• Zen Firewall - Zen for .NET 1.2.7 & 1.2.8

• IDE - Adoption stats visible for admins: follow the usage of the IDE within your company

• IDE - Visual Studio 1.0.2

  • Reporting false positives / negatives

  • Setting to show ignored issues anyway

  • Further integration with git, now respecting .gitignore file

  • Better handling of file rename / delete

  • Log improvements

• IDE - VSCode: support for SAST scanning on Intel Macs

• Git - Made inline commenting on Azure DevOps configurable by severity (for Advantive)

• Git - CI Gitlab (Cloud/Onprem): severity setting for comments

• Git - Gitlab and Github ****now have improved pull request content to give developers the right context when reviewing.

• Reports - CSV export of activity log

• Reports - CSV export now has auto-ignored reasons exported as well

• API - Add snooze until date, comments ignore/snooze, EPSS value

• API - Added ability to clone a repo

Features

• Scan Virtual Machines Locally: You can now easily scan local VMs with Aikido using a single package

• Support for SAML access profiles: Define user access rights based on SAML attributes

Improvements

• JetBrains IDE improvements: You can now see the overview of scans and results within the side bar of the JetBrains IDE

• Edit ARN of container registry: You can now manually edit the ARN that identifies a container registry

• Create tasks scoped for container Images: You can now create Jira tasks scoped to specific contains within Aikido

• Bulk unlink repos: From settings/repos you can now bulk unlink repos from the Aikido Dashboard.

• Dashboard improvements: Ministats on dashboard feed now show both grouped and individual issues

• Solved issues now shown in activity feed

Vulnerability Database

Our research team has discovered over 41 new vulnerabilities over the last two weeks!

Features

• Visual Studio IDE plugin: Scan your Microsoft Visual Studio 2022 projects for secrets, API keys, and security vulnerabilities (SAST) - while coding

• License gating: You can now block pull requests for Github, GitLab (Cloud & On-prem), Bitbucket, Azure (contact us to enable this feature)

• Unhealthy package detection: Aikido Intel’s AI based Malware feed can now detect packages that contain suspicious code like calling external services, using typical obfuscation patterns, and more - these issues are marked as high.

Improvements

• GitHub CI: We now use signed commits for commits coming from Aikido

• Expanded SAST support: First Rust rules are launched

• Code analysis modal: You can now explore multi-file analysis paths

• Domains: You can now link REST & GraphQL domains to a repo or container

• Status page: You can now subscribe to get alerts for incidents

• Task autocreation: You can now set the scope level

• Aikido Issue Detail Sidebar: You can now see an activity log for every issue in the issue detail sidebar.

• Opengrep: Brought back Elixir support, we now publish ARM binaries for Linux, We improved the parsing of verbatim strings and raw string literals in C#, We added a new flag --𝚘𝚞𝚝𝚙𝚞𝚝-𝚎𝚗𝚌𝚕𝚘𝚜𝚒𝚗𝚐-𝚌𝚘𝚗𝚝𝚎𝚡𝚝 that can be added to the 𝚜𝚌𝚊𝚗 command

Vulnerability Database

Our research team has discovered over 42 new vulnerabilities over the last two weeks!

Features

• Opengrep playground released: We have released a desktop app to build opengrep rules easily for Mac, Windows and Linux

• Changelog now showing in app: To make it easier to see all the great new improvements we have added the changelog in the Aikido dashboard “Hello everyone :)”

• Malware now included in Aikido Intel feed: Aikido is now scanning all public registries for malware and including any discoveries in the Aikido Intel feed.

Improvements

• Inline comments for PR checks: You can now choose what severity triggers inline comments on PR

• Improvements for Jetbrains IDE plugins

  • SAST scanning now powered by opengrep

  • Added support for Rubymine

• Enable/disable PR checks for draft PRs in GitHub Actions

• Poetry 2 added for Autofix support

Vulnerability Database

Our research team has discovered over 35 new vulnerabilities within open-source packages and 2543 malicious public packages over the last two weeks

Prefer to watch, check out the video below

Features

• Inline commenting for SAST, IaC, Secrets: You can now get comments relating to security threats directly in your PR for GitHub, GitLab, Azure DevOps and BitBucket.

• Control when license issues display in feed: Choose between not showing licenses in your main feed or showing critical or Critical and High licenses only. Check it out

• Extractor now also captures .snyk files: Make switching tools easier but using existing .snyk files to ignore paths / files as well as the standard .aikido files

Improvements

Local scanner

• Link single container images to multiple teams

• Added support for pdm.lock files

• Capture .sbt.lock files

• Full support now added for Windows

IDE

• VSCode extension v1.0.23 now displays scan results to activity bar

Zen

• Graphs on Routes and Outbound displaying number of requests over time

• Support introduced for .NET .core 9

DAST

• REST api fuzzer now comes with support for SSRF type vulnerabilities

UX

• Code analysis window now displaces source/propagators/sinks in code

Vulnerability Database

Our research team has discovered over 29 new vulnerabilities over the last two weeks! (vulnerability database)

Prefer watching over reading?

Here’s the video version:

Features

• Ignore findings by package: Aikido can now ignore all findings relatred to a specfic package via the Aikido Dashboard

• Get GitLab Server CI results in dashboard: Results from CI scans will appear in the Aikido dashboard feed

• NIST reporting: Get automated NIST reports directly within the Aikido reporting page

Improvements

• SCA: Added support for pdm.lock (python) and plugins.sbt (scala)

• User access rights: You can now manage access rights within Aikido for Cloud, Container and domain management

Vulnerability Database

Our research team has discovered over 33 new vulnerabilities over the last two weeks!

Features

• Aikido Zen released for .NET: Aikido’s In-app firewall ‘Zen’ is now available for .NET applications!

• Aikido Zen - CrowdSec integration: Zen now incorporates CrowdSec lists so you can block known threat actors. (PHP support will be added soon.)

• Windsurf IDE integration: You can now install the Aikido IDE plugin for Windsurf to spot issues while coding.

• DORA compliance report: A new compliance report is available, tailored for fintech and banking sector.

Improvements

• Bulk license management: Users can now perform bulk changes to licenses, including marking them as internal or changing risk assessments.

• Aikido Zen - Routes and outbound request monitoring: Zen now allows you to monitor the # of requests on your own routes and outbound connections.

• JavaScript autofix via parent package: You can now autofix JavaScript dependencies through parent packages.

• Bulk assignment of repositories and containers: Assign assets to teams faster by bulk selection.

• GitLab issue labels: Add labels to GitLab issues directly from Aikido.

• SCM connected user offboarding: Admins can now easily offboard users that are connected via SCM platforms (GitHub, Bitbucket, GitLab).

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Aikido Zen released for Java: Aikido’s In-app firewall ‘Zen’ now available for Java applications

• Support for .aikido ignore files: Ignore vulnerabilities by PATH and CVE number with the .aikido file

• SAST Swift support: Swift is now supported by Aikido’s static code scanning

• Generate reports for Auditors: Easily generate reports for compliance auditors from the Aikido reporting page

• CI Scanning includes malware detection: Now scan for malware directly in the Aikido CI (via request only)

• Bitbucket CI: Bitbucket PR checks configurable directly via Aikido UI

Improvements

• DAST: Authentication on the REST API is now possible via oAuthV2 client credentials flow.

• UI/UX:

  • Option to IP lock the Aikido Dashboard (via request only)

  • Bulk activate/deactivate repositories in the repo settings

  • Incident filters on the Aikido dashboard are now stored in URL allowing them to be easily shared

• API:

  • Manage domains with support for ‘create’, ‘remove’, and ‘list’ domains

  • Manage team members with the ability to ‘add’ and ‘remove’ users from the team via the API

• Reporting: Spanish ENS compliance reporting has been added to the Aikido reports page

Vulnerability Database

Our research team has discovered 25 new vulnerabilities over the last two weeks!

Features

• Aikido Intel’s reporting now open-sourced: You can contribute directly to Aikido Intel feed via the public GitHub repo

• Zen now supports bot blocking: You can now block bot users such as AI scrapers, AI search crawlers, Archivers and more with Zen

• GitLab CI checks from Aikido dashboard: Now setup GitLab CI checks directly via the Aikido Dashboard (GitLab Cloud only)

Improvements

• Containers: Now perform bulk actions on container vulnerabilities from settings page

• Open-source security: Support for text-based bun lockfiles

• License risks: 114,000 package licenses that were previously unknown licenses added

• Auto-fix: Support for requirements.in with Aikido auto-fix

• Open-source License risk: You can now see license risk scoring within the Aikido dashboard

Vulnerability Database

Our research team has discovered over 14 new vulnerabilities over the last two weeks!

Features

• Interact with issues from Slack: Users can view/snooze/ignore/solve all issues from within Slack (by request only)

• DAST IP Address Control: You can choose to scan your application with EU or US IP addresses

• Integrations

  • Native Integration with Leen.dev security connector

  • Drata Integration improved to include support for HIPAA framework

Improvements

• SAST: New rules for GitHub actions to target dangerous exploits

• User Experience Improvements:

  • New Autofix link added to sidebar

  • Ability for Admins to delete notes

  • View CI scan history via the reporting page

• DAST:

  • New rules for REST API/GRAPHQL scanning created

  • Set scan frequency for REST API/GRAPHQL scanning

  • Added routes tab in domain information for REST API scanning

Vulnerability Database

Our research team has discovered over 35 new vulnerabilities over the last two weeks!

Features

• API Scanning: Our DAST API scanner for REST and GraphQL APIs has arrived.

Improvements

• Virtual Machines can now be configured for mixed clouds (denoises your results & lowers scanning frequency)

• Our public API can now return activity log items

• You can now sync SLA dates to Jira due dates

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Autofix SAST: Now preview or auto-generate a pull request with code fixes for discovered SAST and IaC vulnerabilities

• GDPR report: Generate reports for GDPR compliance

• SAST for Elixir: You can now find code vulnerabilities in Elixir projects with Aikido SAST

• Add local repos to workspace: You can now add your locally scanned repos to an existing workspace (Enabled by request)

Improvements

• Status filter: Ability to filter issues on the main feed by item Status for improved task management

Vulnerability Database

Our research team has discovered over 61 new vulnerabilities over the last two weeks!

Features

• CLI based release gating: Aikido CLI now supports release gating based on security checks

• Enriched Pull Requests: More detailed PR decoration with Aikido Autofix for, BitBucket and GitLab

Improvements

• Dashboard sidebar redesigned for improved user experience

• End of Life issue detection support added for .NET projects

Vulnerability Database

Our research team has discovered over 32 new vulnerabilities including 8 Critical and 6 High over the last two weeks!

Features

• HiTrust Compliance: You can generate a Level 3 HiTrust compliance report from Aikido’s reports page

Improvements

• Feed: Option to filter issues by severity

• Secret Scanning: Secrets scanning added for BitBucket pipelines

• SCA:

  • Support added for RUST cargo.toml file

  • Autofix now connects to private package managers through secure environment variables.

  • Yarn 4 package manager now supported for Autofix

• End of Life (EOL): Support added for Azure AKS, AWS EKS, kubernetes on GCP

• User Settings

  • Admin users can now disable/enable auto onboarding in settings/users

  • Added toggles to control default permissions of new users

• Integrations: Users can now see and enable extra unmapped SonarQube rules

• Public API:

  • Support for (un)linking assets (repos, clouds,…) to a team

  • Support for obtaining counts of a single issues

  • Reachability status for single issue added

  • Support for creating custom SAST rules (detail, add, edit, delete) through API

Features

• In-app firewall Zen launched for Python - Zen now supports Python and is compatible with Django, Flask, Quart, and Starlette. It automatically blocks critical injection attacks, adds API rate limiting, and more.

• Dependency Autofix PRs- Aikido can now automatically create daily pull requests for bulk dependency upgrades

• Native Thoropass integration - Aikido can now automatically push compliance checks as evidence into Thoropass

Improvements

• SAST: DART added as a supported language for Aikido SAST

• Reporting: Trends over time report adjustable by timeframe

• Domains: Updated Domains page to show solved issues

• Task Tracker: Auto creation of tasks based on severity and issue

• Local scanning: Added support for uv.lock files for dependency scanners

• APIs: Unsnooze / unignore group/individual issues

• GitLab CI: Secrets scanning now supported

• SCA: Support for build.gradle

• Zen: Now easily autogenerate OpenAPI specification

Vulnerability Database

Our research team has discovered over 28 new vulnerabilities over the last two weeks including 3 Critical and 3 High!

Features

🚀 HIPAA reporting: You can now generate a HIPAA compliance report directly from the Aikido reports tab

🚀 CI Scan History: View the Pull Request history for CI scans in all your integrated CI clients

Improvements

• Issues in Vanta now mapped to container images

• Multiple tags and labels supported for Jira / Linear tickets

• Compliance reporting is grouped per measure providing more visibility in overall compliance

Vulnerability Database

Our research team has discovered over 26 new vulnerabilities over the last two weeks!

New Features

🚀 Path-based responsibility for teams within a repository.

Teams can separate responsibility within a code repo based on path allowing more control for mono-repos.

✅ Default CI configuration added for new repositories

Enable default CI configurations for all new repositories to prevent missed scans.

Improvements & bug fixes

• Get firewall Slack notifications during attacks with Aikidos in app firewall Zen.

• Clojure was added to supported languages for SCA.

• PR scan history included in scan history page for local scanning.

• Team-only users now have access to stats in the feed and ignored pages.

Vulnerability Database

Our research team has discovered over 12 new vulnerabilities over the last two weeks!

New Features

🚀  Agentless Virtual Machine scanning in AWS (docs)
Aikido can now scan your AWS EC2 instances for vulnerabilities. We're stoked to be launching this new feature! Some competitors call this cloud workload protection (CWP), some "sidescanning",... We decided to call it by what it is & actually does: Agentless Virtual Machine scanning. Get 100% coverage, from code to cloud, without any agents. Contact us if you'd like to have access to this feature.

🚀  Aikido is now integrated into Vanta’s Vulnerability Page (vanta’s docs)
Vanta now pulls in Aikido’s vulnerabilities directly into their vulnerability page. This allows you to manage your SLAs for multiple security tools directly in Vanta. The page in Vanta provides a high-level overview of all the detected, remediated, or ignored vulnerabilities on all your servers and containers.

Improvements & bug fixes

• Virtual Machine scanning: You can now set the purpose of the environment, so Aikido can better process results.

• Firewall: You can now configure an IP allowlist on routes, this helps to ensure admin APIs are only accessible from your office or company VPN.

• CI/CD Integration: We now display the CI scan history in the UI, so you can see which scans passed or failed & explore the details. (go to app)

• Local Scanner: We now support image PR gating

• Reporting: You can now check how you do on PCI compliance (check the report)

• SAML: Aikido now auto-creates teams when there’s no teams configured yet

• Autofix: We now support private nuget/NPM registries (docs)

• You can now set your preferred scanning frequency (if you’re on a paid plan)

Vulnerability Database

Our research team has discovered over 20 new vulnerabilities over the last two weeks! (vulnerability database)

New Features

🚀 JetBrains IDE plugins (docs / JetBrains Marketplace)
We’ve released our JetBrains IDE plugin. (Supporting GoLand, IntelliJ IDEA, PhpStorm, PyCharm, Rider, WebStorm) Scan your codebase for secrets, API keys and SAST code issues, while coding!

🚀 Access Controls for GitLab
Aikido can now check for critical access control issues. (Think of multi-factor authentication, restricting default access rights, requiring mandatory code reviews,...) This way, you can ensure that only authorized and verified changes are made to your codebase.

Improvements & bug fixes

• Autofix: Now supports ruby on rails

• Dependency scanning: Broader coverage C++/CPP

• Firewall (GitHub)

  • The firewall overview page has been redesigned

  • You can now manage the firewall app via API. Helpful when you have 100s of apps that you want to add!

  • You can now set your app’s environment (staging/dev/prod)

  • Firewall can now recognize and index graphQL operations

• SAML: You can now sync rights & teams directly to Aikido.

• Domains: You can now adapt linked assets (container/repo) when editing a domain

• Local Scanner:

  • PR scanning support has arrived! You can now do both PR gating and release gating.

  • Support for lockfile-less C++ added

• Domains (Dynamic testing): You can now edit linked assets (repo/container) while editing a domain.

• Tines Marketplace Integration: We’ve created pre-built stories on the Tines marketplace, making integration with tines dead-simple.

Vulnerability Database

Our research team has discovered over 10 new vulnerabilities over the last two weeks! (check out our vulnerability database)