All Collections
Setting up code scanning
Scanning Practices
Support for dependency scanning by language
Support for dependency scanning by language
Roeland Delrue avatar
Written by Roeland Delrue
Updated over a week ago

Aikido performs a nightly scan of your dependencies for known CVEs and risky open-source licenses using a set of open-source tools such as Trivy and Syft.

Below is a table of supported languages and their respective lockfiles. We recommend using lockfiles by default as they increase speed at build time, make your builds more reproducible and they are a first layer of defense against supply-chain attacks. Of course, lockfiles also help Aikido in finding vulnerable packages.

Language

Lockfiles scanned

JavaScript

npm-shrinkwrap.json

package-lock.json

yarn.lock

pnpm-lock.yaml

pnpm-lock.yml

bun.lock

PHP

composer.lock

Java

gradle.lockfile

pom.xml

.jar

.war

.ear

Swift

Package.resolved

Podfile.lock

Go

go.mod

Python

Pipfile.lock

poetry.lock

requirements.txt

.NET

.csproj

.deps.json

packages.lock.json

packages.config

Packages.props

Ruby

Gemfile.lock

Rust

Cargo.lock

Dart

pubspec.lock

Elixir

mix.lock

C/C++

conan.lock

Scala

build.sbt

dependencies.scala

Related Articles
Security scanning best practices for .NET projects
SAST by Aikido: supported languages and security focus
Malware detection in open-source dependencies
Security scanning best practices for Java/Scala/Kotlin projects using Gradle
Did this answer your question?