How Aikido SAST currently works
Aikido runs a SAST engine based on best-in-class open-source scanners. The goal of this module is to find security issues in your code. This puts Aikido in a separate category from other SAST engines. For example, SonarQube is also a SAST engine, but with a focus on readability, code style, and maintainability. Aikido will only give you security-related findings.
On top of the findings from open-source engines, Aikido runs its own risk categorization engine. Aikido removes findings that are not related to security (eg opinionated code styling rules). Findings that reside in repositories that a user categorized as sensitive will get upgraded. Findings inside of files that are not intended for production (eg unit tests) might get downgraded and so on.
To view all individual rules that are active per language, check out our SAST Checks or Infrastructure as Code checks to view the rules per language.
Language support
Language | Base engine |
JavaScript | Semgrep with custom rules |
Typescript | Semgrep with custom rules |
PHP | Semgrep with custom rules |
.NET | Semgrep with custom rules |
Java | Semgrep with custom rules |
Scala | Semgrep with custom rules |
C/C++ | Semgrep with custom rules |
Android | Semgrep with custom rules |
Go | Gosec + Semgrep with custom rules |
Ruby | Brakeman |
Python | Bandit |
Infrastructure-as-code files (Terraform, Cloudformation, Docker,..) | Checkov |
Exposed secret discovery in all files inside of Git history | Gitleaks |
Future roadmap
Aikido is extending support to more languages and frameworks using both open-source engines and proprietary engines. On top of this, Aikido is reinventing SAST for security by investing in engines that are capable of multi-file analysis. Almost all current engines are only capable of single-file analysis, which makes them blind to a lot of risks and causes many false positives.