Support for dependency scanning by language

Aikido performs a nightly scan of your dependencies for known CVEs and risky open-source licenses using a set of open-source tools such as Trivy and Syft.

Below is a table of supported languages and their respective lockfiles. We recommend using lockfiles by default as they increase speed at build time, make your builds more reproducible and they are a first layer of defense against supply-chain attacks. Of course, lockfiles also help Aikido in finding vulnerable packages.

We scan for lockfiles both in the root as in all subfolders.

Language	Lockfiles scanned
JavaScript	npm-shrinkwrap.json package-lock.json yarn.lock pnpm-lock.yaml pnpm-lock.yml bun.lock bun.lockb deno.lock libman.json
PHP	composer.lock
Java	gradle.lockfile build.gradle pom.xml .jar .war .ear
Swift	Package.resolved Podfile.lock
Go	go.mod
Python	Pipfile.lock poetry.lock uv.lock requirements.txt Conda: requirements.yml
.NET	.csproj .deps.json packages.lock.json packages.config Packages.props
Ruby	gemfile.lock
Rust	cargo.lock cargo.toml
Kotlin	build.gradle.kts, gradle.lockfile
Dart	pubspec.lock
Elixir	mix.lock
C/C++	conan.lock Lockfileless C/C++ dependencies (more info)
Scala	build.sbt dependencies.scala
Clojure	deps.edn

How to scan a personal GitLab project

Vulnerability scanning on private packages - Maven