Changelog

Features

• Visual Studio IDE plugin: Scan your Microsoft Visual Studio 2022 projects for secrets, API keys, and security vulnerabilities (SAST) - while coding

• License gating: You can now block pull requests for Github, GitLab (Cloud & On-prem), Bitbucket, Azure (contact us to enable this feature)

• Unhealthy package detection: Aikido Intel’s AI based Malware feed can now detect packages that contain suspicious code like calling external services, using typical obfuscation patterns, and more - these issues are marked as high.

Improvements

• GitHub CI: We now use signed commits for commits coming from Aikido

• Expanded SAST support: First Rust rules are launched

• Code analysis modal: You can now explore multi-file analysis paths

• Domains: You can now link REST & GraphQL domains to a repo or container

• Status page: You can now subscribe to get alerts for incidents

• Task autocreation: You can now set the scope level

• Aikido Issue Detail Sidebar: You can now see an activity log for every issue in the issue detail sidebar.

• Opengrep: Brought back Elixir support, we now publish ARM binaries for Linux, We improved the parsing of verbatim strings and raw string literals in C#, We added a new flag --𝚘𝚞𝚝𝚙𝚞𝚝-𝚎𝚗𝚌𝚕𝚘𝚜𝚒𝚗𝚐-𝚌𝚘𝚗𝚝𝚎𝚡𝚝 that can be added to the 𝚜𝚌𝚊𝚗 command

Vulnerability Database

Our research team has discovered over 42 new vulnerabilities over the last two weeks!

Features

• Opengrep playground released: We have released a desktop app to build opengrep rules easily for Mac, Windows and Linux

• Changelog now showing in app: To make it easier to see all the great new improvements we have added the changelog in the Aikido dashboard “Hello everyone :)”

• Malware now included in Aikido Intel feed: Aikido is now scanning all public registries for malware and including any discoveries in the Aikido Intel feed.

Improvements

• Inline comments for PR checks: You can now choose what severity triggers inline comments on PR

• Improvements for Jetbrains IDE plugins

  • SAST scanning now powered by opengrep

  • Added support for Rubymine

• Enable/disable PR checks for draft PRs in GitHub Actions

• Poetry 2 added for Autofix support

Vulnerability Database

Our research team has discovered over 35 new vulnerabilities within open-source packages and 2543 malicious public packages over the last two weeks

Prefer to watch, check out the video below

Features

• Inline commenting for SAST, IaC, Secrets: You can now get comments relating to security threats directly in your PR for GitHub, GitLab, Azure DevOps and BitBucket.

• Control when license issues display in feed: Choose between not showing licenses in your main feed or showing critical or Critical and High licenses only. Check it out

• Extractor now also captures .snyk files: Make switching tools easier but using existing .snyk files to ignore paths / files as well as the standard .aikido files

Improvements

Local scanner

• Link single container images to multiple teams

• Added support for pdm.lock files

• Capture .sbt.lock files

• Full support now added for Windows

IDE

• VSCode extension v1.0.23 now displays scan results to activity bar

Zen

• Graphs on Routes and Outbound displaying number of requests over time

• Support introduced for .NET .core 9

DAST

• REST api fuzzer now comes with support for SSRF type vulnerabilities

UX

• Code analysis window now displaces source/propagators/sinks in code

Vulnerability Database

Our research team has discovered over 29 new vulnerabilities over the last two weeks! (vulnerability database)

Prefer watching over reading?

Here’s the video version:

Features

• Ignore findings by package: Aikido can now ignore all findings relatred to a specfic package via the Aikido Dashboard

• Get GitLab Server CI results in dashboard: Results from CI scans will appear in the Aikido dashboard feed

• NIST reporting: Get automated NIST reports directly within the Aikido reporting page

Improvements

• SCA: Added support for pdm.lock (python) and plugins.sbt (scala)

• User access rights: You can now manage access rights within Aikido for Cloud, Container and domain management

Vulnerability Database

Our research team has discovered over 33 new vulnerabilities over the last two weeks!

Features

• Aikido Zen released for .NET: Aikido’s In-app firewall ‘Zen’ is now available for .NET applications!

• Aikido Zen - CrowdSec integration: Zen now incorporates CrowdSec lists so you can block known threat actors. (PHP support will be added soon.)

• Windsurf IDE integration: You can now install the Aikido IDE plugin for Windsurf to spot issues while coding.

• DORA compliance report: A new compliance report is available, tailored for fintech and banking sector.

Improvements

• Bulk license management: Users can now perform bulk changes to licenses, including marking them as internal or changing risk assessments.

• Aikido Zen - Routes and outbound request monitoring: Zen now allows you to monitor the # of requests on your own routes and outbound connections.

• JavaScript autofix via parent package: You can now autofix JavaScript dependencies through parent packages.

• Bulk assignment of repositories and containers: Assign assets to teams faster by bulk selection.

• GitLab issue labels: Add labels to GitLab issues directly from Aikido.

• SCM connected user offboarding: Admins can now easily offboard users that are connected via SCM platforms (GitHub, Bitbucket, GitLab).

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Aikido Zen released for Java: Aikido’s In-app firewall ‘Zen’ now available for Java applications

• Support for .aikido ignore files: Ignore vulnerabilities by PATH and CVE number with the .aikido file

• SAST Swift support: Swift is now supported by Aikido’s static code scanning

• Generate reports for Auditors: Easily generate reports for compliance auditors from the Aikido reporting page

• CI Scanning includes malware detection: Now scan for malware directly in the Aikido CI (via request only)

• Bitbucket CI: Bitbucket PR checks configurable directly via Aikido UI

Improvements

• DAST: Authentication on the REST API is now possible via oAuthV2 client credentials flow.

• UI/UX:

  • Option to IP lock the Aikido Dashboard (via request only)

  • Bulk activate/deactivate repositories in the repo settings

  • Incident filters on the Aikido dashboard are now stored in URL allowing them to be easily shared

• API:

  • Manage domains with support for ‘create’, ‘remove’, and ‘list’ domains

  • Manage team members with the ability to ‘add’ and ‘remove’ users from the team via the API

• Reporting: Spanish ENS compliance reporting has been added to the Aikido reports page

Vulnerability Database

Our research team has discovered 25 new vulnerabilities over the last two weeks!

Features

• Aikido Intel’s reporting now open-sourced: You can contribute directly to Aikido Intel feed via the public GitHub repo

• Zen now supports bot blocking: You can now block bot users such as AI scrapers, AI search crawlers, Archivers and more with Zen

• GitLab CI checks from Aikido dashboard: Now setup GitLab CI checks directly via the Aikido Dashboard (GitLab Cloud only)

Improvements

• Containers: Now perform bulk actions on container vulnerabilities from settings page

• Open-source security: Support for text-based bun lockfiles

• License risks: 114,000 package licenses that were previously unknown licenses added

• Auto-fix: Support for requirements.in with Aikido auto-fix

• Open-source License risk: You can now see license risk scoring within the Aikido dashboard

Vulnerability Database

Our research team has discovered over 14 new vulnerabilities over the last two weeks!

Features

• Interact with issues from Slack: Users can view/snooze/ignore/solve all issues from within Slack (by request only)

• DAST IP Address Control: You can choose to scan your application with EU or US IP addresses

• Integrations

  • Native Integration with Leen.dev security connector

  • Drata Integration improved to include support for HIPAA framework

Improvements

• SAST: New rules for GitHub actions to target dangerous exploits

• User Experience Improvements:

  • New Autofix link added to sidebar

  • Ability for Admins to delete notes

  • View CI scan history via the reporting page

• DAST:

  • New rules for REST API/GRAPHQL scanning created

  • Set scan frequency for REST API/GRAPHQL scanning

  • Added routes tab in domain information for REST API scanning

Vulnerability Database

Our research team has discovered over 35 new vulnerabilities over the last two weeks!

Features

• API Scanning: Our DAST API scanner for REST and GraphQL APIs has arrived.

Improvements

• Virtual Machines can now be configured for mixed clouds (denoises your results & lowers scanning frequency)

• Our public API can now return activity log items

• You can now sync SLA dates to Jira due dates

Vulnerability Database

Our research team has discovered over 40 new vulnerabilities over the last two weeks!

Features

• Autofix SAST: Now preview or auto-generate a pull request with code fixes for discovered SAST and IaC vulnerabilities

• GDPR report: Generate reports for GDPR compliance

• SAST for Elixir: You can now find code vulnerabilities in Elixir projects with Aikido SAST

• Add local repos to workspace: You can now add your locally scanned repos to an existing workspace (Enabled by request)

Improvements

• Status filter: Ability to filter issues on the main feed by item Status for improved task management

Vulnerability Database

Our research team has discovered over 61 new vulnerabilities over the last two weeks!

Features

• CLI based release gating: Aikido CLI now supports release gating based on security checks

• Enriched Pull Requests: More detailed PR decoration with Aikido Autofix for, BitBucket and GitLab

Improvements

• Dashboard sidebar redesigned for improved user experience

• End of Life issue detection support added for .NET projects

Vulnerability Database

Our research team has discovered over 32 new vulnerabilities including 8 Critical and 6 High over the last two weeks!

Features

• HiTrust Compliance: You can generate a Level 3 HiTrust compliance report from Aikido’s reports page

Improvements

• Feed: Option to filter issues by severity

• Secret Scanning: Secrets scanning added for BitBucket pipelines

• SCA:

  • Support added for RUST cargo.toml file

  • Autofix now connects to private package managers through secure environment variables.

  • Yarn 4 package manager now supported for Autofix

• End of Life (EOL): Support added for Azure AKS, AWS EKS, kubernetes on GCP

• User Settings

  • Admin users can now disable/enable auto onboarding in settings/users

  • Added toggles to control default permissions of new users

• Integrations: Users can now see and enable extra unmapped SonarQube rules

• Public API:

  • Support for (un)linking assets (repos, clouds,…) to a team

  • Support for obtaining counts of a single issues

  • Reachability status for single issue added

  • Support for creating custom SAST rules (detail, add, edit, delete) through API

Features

• In-app firewall Zen launched for Python - Zen now supports Python and is compatible with Django, Flask, Quart, and Starlette. It automatically blocks critical injection attacks, adds API rate limiting, and more.

• Dependency Autofix PRs- Aikido can now automatically create daily pull requests for bulk dependency upgrades

• Native Thoropass integration - Aikido can now automatically push compliance checks as evidence into Thoropass

Improvements

• SAST: DART added as a supported language for Aikido SAST

• Reporting: Trends over time report adjustable by timeframe

• Domains: Updated Domains page to show solved issues

• Task Tracker: Auto creation of tasks based on severity and issue

• Local scanning: Added support for uv.lock files for dependency scanners

• APIs: Unsnooze / unignore group/individual issues

• GitLab CI: Secrets scanning now supported

• SCA: Support for build.gradle

• Zen: Now easily autogenerate OpenAPI specification

Vulnerability Database

Our research team has discovered over 28 new vulnerabilities over the last two weeks including 3 Critical and 3 High!

Features

🚀 HIPAA reporting: You can now generate a HIPAA compliance report directly from the Aikido reports tab

🚀 CI Scan History: View the Pull Request history for CI scans in all your integrated CI clients

Improvements

• Issues in Vanta now mapped to container images

• Multiple tags and labels supported for Jira / Linear tickets

• Compliance reporting is grouped per measure providing more visibility in overall compliance

Vulnerability Database

Our research team has discovered over 26 new vulnerabilities over the last two weeks!

New Features

🚀 Path-based responsibility for teams within a repository.

Teams can separate responsibility within a code repo based on path allowing more control for mono-repos.

✅ Default CI configuration added for new repositories

Enable default CI configurations for all new repositories to prevent missed scans.

Improvements & bug fixes

• Get firewall Slack notifications during attacks with Aikidos in app firewall Zen.

• Clojure was added to supported languages for SCA.

• PR scan history included in scan history page for local scanning.

• Team-only users now have access to stats in the feed and ignored pages.

Vulnerability Database

Our research team has discovered over 12 new vulnerabilities over the last two weeks!

New Features

🚀  Agentless Virtual Machine scanning in AWS (docs)
Aikido can now scan your AWS EC2 instances for vulnerabilities. We're stoked to be launching this new feature! Some competitors call this cloud workload protection (CWP), some "sidescanning",... We decided to call it by what it is & actually does: Agentless Virtual Machine scanning. Get 100% coverage, from code to cloud, without any agents. Contact us if you'd like to have access to this feature.

🚀  Aikido is now integrated into Vanta’s Vulnerability Page (vanta’s docs)
Vanta now pulls in Aikido’s vulnerabilities directly into their vulnerability page. This allows you to manage your SLAs for multiple security tools directly in Vanta. The page in Vanta provides a high-level overview of all the detected, remediated, or ignored vulnerabilities on all your servers and containers.

Improvements & bug fixes

• Virtual Machine scanning: You can now set the purpose of the environment, so Aikido can better process results.

• Firewall: You can now configure an IP allowlist on routes, this helps to ensure admin APIs are only accessible from your office or company VPN.

• CI/CD Integration: We now display the CI scan history in the UI, so you can see which scans passed or failed & explore the details. (go to app)

• Local Scanner: We now support image PR gating

• Reporting: You can now check how you do on PCI compliance (check the report)

• SAML: Aikido now auto-creates teams when there’s no teams configured yet

• Autofix: We now support private nuget/NPM registries (docs)

• You can now set your preferred scanning frequency (if you’re on a paid plan)

Vulnerability Database

Our research team has discovered over 20 new vulnerabilities over the last two weeks! (vulnerability database)

New Features

🚀 JetBrains IDE plugins (docs / JetBrains Marketplace)
We’ve released our JetBrains IDE plugin. (Supporting GoLand, IntelliJ IDEA, PhpStorm, PyCharm, Rider, WebStorm) Scan your codebase for secrets, API keys and SAST code issues, while coding!

🚀 Access Controls for GitLab
Aikido can now check for critical access control issues. (Think of multi-factor authentication, restricting default access rights, requiring mandatory code reviews,...) This way, you can ensure that only authorized and verified changes are made to your codebase.

Improvements & bug fixes

• Autofix: Now supports ruby on rails

• Dependency scanning: Broader coverage C++/CPP

• Firewall (GitHub)

  • The firewall overview page has been redesigned

  • You can now manage the firewall app via API. Helpful when you have 100s of apps that you want to add!

  • You can now set your app’s environment (staging/dev/prod)

  • Firewall can now recognize and index graphQL operations

• SAML: You can now sync rights & teams directly to Aikido.

• Domains: You can now adapt linked assets (container/repo) when editing a domain

• Local Scanner:

  • PR scanning support has arrived! You can now do both PR gating and release gating.

  • Support for lockfile-less C++ added

• Domains (Dynamic testing): You can now edit linked assets (repo/container) while editing a domain.

• Tines Marketplace Integration: We’ve created pre-built stories on the Tines marketplace, making integration with tines dead-simple.

Vulnerability Database

Our research team has discovered over 10 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Sprinto integration (integration details)
Aikido now supports Sprinto, so you can automate your technical vulnerability management reporting.

🚀 Extended coverage for secret liveness detection (docs)
Aikido is now able to check for many different new types of secrets if they are live: Slack tokens, GitLab PAT, Hubspot tokens and many more...

Improvements & bug fixes

• SBOMs: You can now also export your SBOM in SPDX format.

• Firewall: We now support the Micro framework (see docs)

• Issue types filters: It’s now possible to multi select filters. (in the feed and the ignored issues view)

• Azure DevOps: You can now add trusted domains to allow auto-onboarding. (see docs)

Vulnerability Database

Our research team has discovered over 22 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Secrets liveness detection (docs)
Aikido now checks if exposed secrets are still active and assesses their potential risks. Issue's severity is adapted based on this information. (Think of GitHub Access Tokens, Sendgrid tokens, Stripe tokens, slack tokens,…) Aikido filters the noise in detected secrets even better than before!

🚀 GitHub access control checks (docs)
Aikido can now check for critical access control issues. (Think of multi-factor authentication, restricting default access rights, requiring mandatory code reviews,...) This way, you can ensure that only authorized and verified changes are made to your codebase.

Improvements & bug fixes

• SLAs: Aikido can now automatically create tasks for issues that go out of SLA (ask us for access to this feature via in-app chat)

• Firewall:

  • We added blocking/nonblocking mode in the UI

  • SSRF protection: blocks SSRF attacks by intercepting and validating requests to internal services.

• Dependency scanning: Support for deno.lock (for JS) (check lockfile support in docs)

• Feed: When you hover over the toggles you now get a detailed view on how Aikido has refined the findings.

  

• SAML: We now support SAML via Google Workspace! (docs)

• Jira integration: You’re now able to map severities to their correlating priorities in Jira

Vulnerability Database

• Our research team has discovered over 31 new vulnerabilities over the last two weeks! (check out our vulnerability database)

New Features

🚀 Firewall
We've added rate limiting for Next.js! Protect against excessive traffic & attacks by limiting the number of requests from a single source.

🚀 Detect secrets in PRs (GitHub checks & Azure Checks)
Enable Aikido's CI Gating for GitHub checks or Azure checks to detect secrets in PRs. Make sure no secrets get pushed live.

Improvements & bug fixes

• CI Gating - GitHub checks & Azure Checks: Snooze/unsnooze results in PR becoming green/red instantly

• Container image scanning: Nexus container registry is now supported (docs)

• Autofix:

  • Support added for autofixing Java dependencies (docs)

  • GitHub autofix: We now autoclose old PRs when new ones are created for the same lockfile

• Dependency scanning: Support for Conda requirements.yml (Python)

• SAML: 3-Legged OAuth2 flow support added (see apidocs)

Vulnerability Database

Our research team has discovered over 14 new vulnerabilities over the last two weeks! (check out our vulnerability database)