Support for dependency scanning by language

Aikido performs a nightly SCA scan of your dependencies for known CVEs and risky open-source licenses using a set of open-source tools such as Trivy and Syft.

Below is a table of supported languages and their respective lockfiles. We recommend using lockfiles by default as they increase speed at build time, make your builds more reproducible and they are a first layer of defense against supply-chain attacks. Of course, lockfiles also help Aikido in finding vulnerable packages.

We scan for lockfiles both in the root as in all subfolders.

Language

Lockfiles scanned

JavaScript

npm-shrinkwrap.json

package-lock.json

yarn.lock

pnpm-lock.yaml

pnpm-lock.yml

bun.lock

bun.lockb

deno.lock

libman.json

PHP

composer.lock

Java

gradle.lockfile

build.gradle

pom.xml

.jar

.war

.ear ivy.xml

Swift

Package.resolved

Podfile.lock

go.mod

Python

Pipfile.lock

poetry.lock

uv.lock

pdm.lock

requirements.txt

Conda: requirements.yml

.NET

.csproj

.deps.json

packages.lock.json

packages.config

Packages.props

Ruby

gemfile.lock

Rust

cargo.lock

cargo.toml

Kotlin

build.gradle.kts, gradle.lockfile

Dart

pubspec.lock

Elixir

mix.lock

C/C++

conan.lock

Lockfileless C/C++ dependencies (more info)

Scala

build.sbt

plugins.sbt

dependencies.scala

libraries.scala

.sbt.lock

Clojure

deps.edn

Last updated 2 days ago

Was this helpful?