Changelog NotificationsAPIAikido login

CI Gating Functionality

Aikido CI gating allows you to scan feature branches for issues before they reach production. It covers open-source dependencies (SCA), IaC, Secrets, SAST, malware, license risks and code quality issues.

Overview

Aikido offers two gating modes:

  • PR Gating: Primarily handled via native integrations (GitHub, GitLab, Bitbucket, Azure). It scans the diff of your branch.

  • Release Gating: Handled via the Aikido CLI. It ensures your final build is clean before deployment.

Setup Options

You can configure gating in two ways:

  1. Dashboard-led (Recommended): Use our 1-click configuration for GitHub, GitLab, Bitbucket, and Azure. This setup is managed entirely within Aikido, provides a better overview, and doesn’t consume your CI minutes.

  2. Code-led: Configure gating via code using GitLab or Bitbucket Pipes. If you use a different provider, you can integrate manually using our Public CI API.

  1. Aikido Interface: Use our 1-click configuration for GitHub, GitLab, Bitbucket, and Azure. This setup is managed entirely within the Aikido interface, provides a better overview, and doesn’t consume your CI minutes.

  2. CI Pipeline: For teams that prefer managing configuration in their own environment. You can use Bitbucket Pipes natively, or integrate with any other runner (Jenkins, CircleCI, etc.) using the Aikido CLI or our Public CI API.

Introduction

CI gating is available for all of Aikido's CI integrations. With Aikido's CI Gating feature you can scan your feature branches for known vulnerabilities in open-source software packages (CVE), IaC, Secrets and SAST. We also support malware scanning and checking third party-packages/licenses for legal risk.

PR gating is mostly supported via native integrations. Release gating can be done with our CLI tool

How does it work

Setup configuration via Aikido dashboard or via Code

Aikido supports 1-click configuration and management for GitHub, Gitlab, Bitbucket and Azure accounts via our Aikido dashboard. We recommend using this functionality as it allows for easy configuration, better overview and does not use CI minutes.

You can also set up CI gating via code for GitLab and Bitbucket Pipes. If your integration is not in the list, you can still integrate by using our Public CI API.

Checking results

After running inside of your CI, Aikido will display a link with the scan results for this specific branch. Given we scan the specific branch (and not the entire repo again), Aikido tells you about both fixed and newly introduced issues for this specific change.

Code branch vulnerability report showing introduced and resolved issues with severity levels.

If Aikido detects an issue is fixed inside of a feature branch, it will be marked inside of Aikido's feed as "PR open", so you can easily verify an issue will be fixed even before merging a feature branch.

Table listing unresolved critical security issues in software projects with open tasks.

Bypassing a failed state

In case you would like to bypass a failed state, this is possible by ignoring the issues that caused the CI gate to fail. You can do this by clicking the issue and in the top right Actions menu select Ignore or Snooze. This issue will then be ignored/snoozed in any future branches in your CI.

Only users that have the permission to snooze or ignore issues can bypass the CI gate.

Advanced Gating Configuration

You can fine-tune how Aikido interacts with your workflow to prevent bottlenecking development. These settings are found under Advanced Settings within your repository’s gating configuration.

Always make the PR check green

Enable this to prevent Aikido from physically blocking a merge.

  • How it works: Aikido performs the full security scan and surfaces all findings in the dashboard (and via PR comments if enabled). However, it will always report a "Success" status to your git provider.

  • Why use it: This is ideal for teams in the "visibility phase." You get all the data on new vulnerabilities without the friction of a broken build. It’s the best way to roll out Aikido without catching flak from developers who just want to merge.

Disable checks on draft Pull Requests

Avoid wasting CI minutes and generating noise on work-in-progress code.

  • How it works: When enabled, Aikido ignores any PR marked as a "Draft." The scan will only trigger once the PR is marked as "Ready for Review."

  • Why use it: Developers often push "ugly" code or incomplete features to draft PRs just to run a specific test or share progress. Skipping security checks here keeps the feedback loop fast and ensures that security triage only happens when the code is actually stable.

Last updated

Was this helpful?