Code Audit Overview
Pentest-grade reasoning on your source code, no environment required.
What is Code Audit?
Code Audit runs pentest-grade security reasoning directly on your source code. You don't need a staging URL, a crawl, or pentest scope setup. Connect a repository, confirm the price in credits, and start the audit.
It's a sibling to Aikido Pentest: same assessment model and issue experience, but repo-focused only.
How it works
Connect repositories
You pick the repositories you want audited in the create flow. Code Audit only needs source code — no live target, no domains, no auth setup. See Aikido Never Stores Your Code for how your source is handled during an audit.
Agents reason about your code
Multiple security agents work through the connected codebases together, chaining context across files to surface architectural and logic flaws that traditional static scanners can't see.
Read the findings
Findings land in the Issues tab on the assessment and in your global issue feed, alongside everything else Aikido detects. Each finding includes a summary, root cause, remediation, and code-based Evidence — see Track Progress and Findings for the full read-out.
Pricing and credits
Code Audit is paid for with Aikido credits.
The Pricing step in the create flow shows the exact credit total before you commit.
Cost depends on the size and complexity of the codebases you select. Larger or more sprawling selections cost more.
Credits are charged when you click Start Audit.
Code Audit vs Aikido Pentest
Both products run the same agentic engine, but they answer different questions. Code Audit reasons about your source code. Aikido Pentest exercises your running application.
Use Code Audit when:
You want deep code reasoning on logic and architectural flaws — broken access control, privilege escalation, and multi-step exploit chains — without configuring a live environment.
You don't have a stable staging or QA target, or auth flows aren't ready for live testing.
Your codebase is hard to set up for live testing — mobile apps, smart contracts, desktop apps, embedded software, libraries, or anything else without a straightforward URL to point a pentest at.
You need a fast turnaround with minimal setup: connect a repo, confirm credits, start.
You want to validate changes in source before they ship to a live deployment.
Use Aikido Pentest when:
You have a live target and want to validate real exploitability with real traffic.
You want runtime evidence — reproduction requests, attack-surface mapping, and live agent activity.
Your scope includes domains, authenticated user roles, and crawl-discovered endpoints beyond what's visible in source.
You need follow-up actions like Re-test and Exploit Further on validated findings.
You're satisfying compliance frameworks like SOC 2 or ISO 27001 that expect a live penetration test.
Code Audit vs SAST
Both look at your source code, but they work differently. SAST flags patterns — a tainted parameter, a risky API call, a missing check. Code Audit reasons about intent and context across files, so it can identify issues that need an attacker's perspective. The two are complementary, not interchangeable.
Use Code Audit when:
You want to catch logic and architectural flaws that pattern-matching can't see — broken access control, privilege escalation, business logic bypasses, and multi-step exploit chains.
You need cross-file reasoning that follows references through services, modules, and helpers.
You're auditing a high-stakes change, release, or codebase and want attacker-style review on top of your continuous scans.
You want deeper context on a specific finding — root cause, exploit path, and remediation — instead of just a pattern hit.
Use SAST when:
You want fast, every-commit feedback on common vulnerability patterns — injection sinks, taint flows, hard-coded secrets, dangerous APIs, IaC misconfigurations.
You need broad, continuous coverage across every PR and branch without spending credits per scan.
You're enforcing PR-time gates in CI/CD on known-bad patterns.
FAQ
Why doesn't Code Audit need a live URL?
Code Audit reads and reasons about your source code directly. There's no crawl phase, no traffic replay, and no live exploitation — so there's no environment to point at. If you do want live testing against a deployed target, use Aikido Pentest instead.
Why can't I retest a Code Audit finding?
Re-test and Exploit Further are designed for live pentest findings, where Aikido can re-issue requests against your environment. Code Audit evidence is code- and reasoning-based, not a live exploit walkthrough, so those actions don't apply. To re-validate, run a new Code Audit against the updated code.
Last updated
Was this helpful?