Release Gating for Code Using Local Scanner

The Aikido Local Scanner can enforce security gates at different stages of your CI pipeline, including pull requests and releases.

Release gating scans your code before it is published or deployed. Unlike PR gating, which scans only the changes introduced in a pull request, release gating evaluates the entire build. If the scan finds issues that meet or exceed your configured severity threshold, the CI pipeline fails and the release is blocked.

This ensures that the final code meets your security standards before it reaches production.

To enable release gating add the --fail-on <severity> option to the scan command.

aikido-local-scanner scan ./ --apikey $AIKIDO_LOCAL_SCANNER_TOKEN --repositoryname $CI_PROJECT_NAME --branchname main --fail-on critical

Examples

GitLab Self Managed

For general information about setting up the Local Scanner in a GitLab environment, check out this article.

Example .gitlab-ci.yml for release gating:

default:
  image:
    name: aikidosecurity/local-scanner:latest
    entrypoint: [""]

run_aikido_selfscanner:
  script:
  - aikido-local-scanner scan ./ --apikey $AIKIDO_LOCAL_SCANNER_TOKEN --repositoryname $CI_PROJECT_NAME --branchname main --fail-on critical
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

GitHub

For general information about setting up the Local Scanner in a GitHub environment, check out this article. Example .github/workflows/aikido-scan.yml for release gating: