Multifile & Taint Analysis

Aikido tracks how untrusted input flows through your code and flags it when it reaches a dangerous sink (for example, SQL or command execution). We support taint analysis both within a file and across files, as input accepted in one place can be linked to a risky operation in another.

On top of data flow, Aikido also checks reachability so you don’t get pinged for issues that can’t actually execute in your app (for example, a vulnerable function you don’t call, or code that only runs in tests). This is part of how we keep noise down.

Taint tracing in Aikido

When a vulnerability is discovered, Aikido will trace it through the relevant function calls. When you open a security issue, select View code analysis to get a detailed look at the source of the vulnerability as well as a call graph illustrating the execution flow.

Where multi-file taint analysis is available

Aikido currently supports cross-file taint tracking for the following languages:

• JavaScript

• TypeScript

• PHP

• .NET/C#

• Java

• Rust

• Go

• Ruby

• Python

Other languages currently support intra-file taint analysis:

• C/C++

• Swift

• Android

• Scala

• Kotlin

• Dart

• Elixir