Changelog NotificationsAPIAikido login

PR Gating Overview

Aikido CI gating allows you to scan feature branches for issues before they reach production. It covers open-source dependencies (SCA), IaC, Secrets, SAST, malware, license risks and code quality issues.

Overview

Aikido offers two gating modes:

  • PR Gating: Primarily handled via native integrations (GitHub, GitLab, Bitbucket, Azure). It scans the diff of your branch.

  • Release Gating: Handled via the Aikido CLI. It ensures your final build is clean before deployment.

Setup Options

You can configure gating in two ways:

  1. Aikido Interface: Use our 1-click configuration for GitHub, GitLab, Bitbucket, and Azure. This setup is managed entirely within the Aikido interface, provides a better overview, and doesn’t consume your CI minutes.

  2. CI Pipeline: For teams that prefer managing configuration in their own environment. You can use Bitbucket Pipes natively, or integrate with any other runner (Jenkins, CircleCI, etc.) using the Aikido CLI or our Public CI API.

Configuring Your CI Gate

When you set up gating in Aikido, you have granular control over what triggers a failure. These settings are found by going to Integrations > PR Quality Gating > [Your Setup].

From here, you can:

  • Set Defaults: Define the default gating configuration for all new repositories added to your workspace.

  • Bulk Edit: Select multiple repositories to apply configuration changes across your entire project.

  • Granular Control: Adjust settings for a single repository to handle specific project needs.

  • Advanced Settings: Fine-tune how Aikido interacts with your workflow.

Severity Threshold

Select the minimum severity level that will cause the CI gate to fail (e.g., Critical or High).

  • Any new issue detected at or above this level will break the build.

  • Issues below this threshold will still be reported but won't block the merge.

Scans to Execute

Toggle specific scan types on or off for the CI gate. This allows you to focus on the security categories that are most relevant to your workflow.

Advanced Configuration

Fine-tune how Aikido interacts with your workflow to maintain developer velocity:

  • Always make the PR check green: Use this to get security visibility without physically blocking merges. Aikido runs full scans but always reports a "Success" status to your git provider. Perfect for teams in the initial "visibility phase."

  • Disable checks on draft Pull Requests: Avoid generating noise on work-in-progress code. Scans only trigger once the PR is moved to "Ready for Review."

Checking results

After a CI run, Aikido provides a direct link to the scan results for that specific branch. Because Aikido scans the branch diff rather than the entire repo, it clearly distinguishes between fixed issues and newly introduced risks.

  • Fixed in branch: If a PR resolves an existing vulnerability, Aikido marks it as "PR open" in your feed, allowing you to verify the fix before merging.

  • New issues: Anything introduced in the branch that exceeds your severity threshold will trigger a failure (unless "Always Green" is enabled).

Table listing unresolved critical security issues in software projects with open tasks.

Bypassing a failed state

In case you would like to bypass a failed state, this is possible by ignoring the issues that caused the CI gate to fail. You can do this by clicking the issue and in the top right Actions menu select Ignore or Snooze. This issue will then be ignored/snoozed in any future branches in your CI.

Only users that have the permission to snooze or ignore issues can bypass the CI gate.

Last updated

Was this helpful?