Support for dependency scanning by language
Aikido performs a nightly scan of your dependencies for known CVEs and risky open-source licenses using a set of open-source tools such as Trivy and Syft.
Below is a table of supported languages and their respective lockfiles. We recommend using lockfiles by default as they increase speed at build time, make your builds more reproducible and they are a first layer of defense against supply-chain attacks. Of course, lockfiles also help Aikido in finding vulnerable packages.
We scan for lockfiles both in the root as in all subfolders.
Language | Lockfiles scanned |
|---|---|
JavaScript | npm-shrinkwrap.json package-lock.json yarn.lock pnpm-lock.yaml pnpm-lock.yml bun.lock deno.lock libman.json |
PHP | composer.lock |
Java | gradle.lockfile build.gradle pom.xml .jar .war .ear |
Swift | Package.resolved Podfile.lock |
Go | go.mod |
Python | Pipfile.lock poetry.lock uv.lock requirements.txt Conda: requirements.yml |
.NET | .csproj .deps.json packages.lock.json packages.config Packages.props |
Ruby | gemfile.lock |
Rust | cargo.lock cargo.toml |
Kotlin | build.gradle.kts, gradle.lockfile |
Dart | pubspec.lock |
Elixir | mix.lock |
C/C++ | conan.lock Lockfileless C/C++ dependencies (more info) |
Scala | build.sbt dependencies.scala |
Clojure | deps.edn |