Github Copilot

The Aikido MCP Server connects Aikido’s security engine to AI coding tools that support MCP. It automatically scans AI generated code for vulnerabilities and hardcoded secrets as soon as it is created.

AI assistants can review their own output, but that review is not perfect. Aikido adds a reliable and consistent security layer that checks every generated snippet with proven scanning rules.

Why connect Aikido via MCP

Deterministic, independent security checks on every AI generated snippet before it is committed
Immediate detection and remediation of vulnerabilities and hardcoded secrets in AI assisted workflows
Real time feedback inside your IDE or agent environment, making AI driven development safer by default

Available Tools

aikido_full_scan: Runs a combined SAST + Secrets scan on provided files.
aikido_sast_scan: Runs a local SAST (static application security testing) scan on provided files
aikido_secrets_scan: Runs a secrets-only scan on provided files

Installation

IDE

The Aikido VSCode IDE plugin uses Expansion Packs to provide additional features. The Aikido MCP for Github Copilot is one of these Expansion Packs, making installation simple and fast without a separate setup process. See the linked page below for instructions on how to enable it.

VS Code IDE

Integration with Copilot Agents

GitHub Copilot coding agent can call tools from MCP servers while it runs. Follow the steps below to set up Aikido MCP for your repository. Configuration is done per repository.

If you already use Aikido MCP in VS Code, you can reuse that configuration and only add the token in your repository settings.

Set-up Instructions

For the full GitHub flow (where to paste JSON, how validation works, and how Copilot environments expose secrets), check out GitHub’s guide.

Create an Aikido MCP token

In Aikido, go to MCP Integration page and create a Personal Access Token.

Add the token to your Copilot environment

Github Copilot only exposes secrets/variables to MCP config if their names start with COPILOT_MCP_

Create a secret like:

COPILOT_MCP_AIKIDO_API_KEY = your Aikido token

Add the MCP configuration in your repo settings

In your GitHub repository, go to Settings → Copilot → Coding agent and paste an MCP JSON config.

Example configuration for Aikido MCP (local/stdio via npx):

{
  "mcpServers": {
    "aikido": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@aikidosec/mcp"],
      "tools": ["aikido_full_scan", "aikido_sast_scan", "aikido_secrets_scan"],
      "env": {
        "AIKIDO_API_KEY": "COPILOT_MCP_AIKIDO_API_KEY"
      }
    }
  }
}

Add custom prompt instructions

To ensure GitHub Copilot uses the MCP server, configure repository instructions as described in the GitHub guide.

Add an instruction such as:

Scan any new or modified code with `aikido_full_scan` before finalizing changes. This security check is required.

Validate

You can now verify your configuration by asking Copilot to security scan one of your files.

Last updated 1 day ago

Was this helpful?

hashtagAvailable Tools

hashtagInstallation

hashtagIDE

hashtagIntegration with Copilot Agents

hashtagSet-up Instructions

hashtagCreate an Aikido MCP token

hashtagAdd the token to your Copilot environment

hashtagAdd the MCP configuration in your repo settings

hashtagAdd custom prompt instructions

hashtagValidate