Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>Aikido SecurityNew to Visual Studio Code? Get it now.
Aikido Security

Aikido Security

Aikido Security

|
1,976 installs
| (8) | Free
Secure code as it's written (& generated). In-line security for SAST, secrets, dependencies…
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Aikido Security Extension for Visual Studio Code

Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important to solve. The Aikido Security Visual Studio Code extension scans for secrets, SAST and open-source dependency issues and offers real-time scans with inline results and problem highlighting, so you can fix issues as you code, not after. Save time, money, and headache fixing vulnerabilities.

  • Scan for issues in JavaScript, TypeScript and Python on free plans and all major languages and package managers on paid plans.
    • Secrets, passwords, and API keys scanning
    • Code scanning (SAST)
    • Open-source dependency scanning (SCA) - (available on paid plans).
  • Vulnerable code and secrets are highlighted in-line in the editor based on their severity, making it easy to identify the issues you need to focus on.
  • Get clear remediation steps with proposed fixes that help you resolve issues instantly.
  • Fix issues with Aikido AI. Save time with fixes from best-in-class LLMs, rigorously vetted by Aikido. Preview the proposed solution, and implement a fix with a single click. Get the benefits of AI while staying in control (available on paid plans).
  • Automatic rescanning as you code, warning you instantly when potential new threats are introduced.

Usage

Install

Install the Aikido extension in Visual Studio Code. The integration will prompt you to enter an access token, this can be found in the Aikido Platform by navigating to Integrations > IDE > Visual Studio Code. Now the extension is connected to your Aikido account and activated.

Scanning

The integration scans your codebase for secrets, API keys, SAST code issues and open-source dependency vulnerabilities. It runs scans whenever you open or save a file.

Every time you make and save changes in a file, a scan runs. If any issues are detected, they are highlighted in the editor and also displayed in the Problems panel. When you hover over a detected SAST issue, additional context about the problem is provided.

demo

How to test this extension

If this is your first time using this extension and you want to explore its capabilities, we suggest testing it with our example file below.

  • Create a folder on your local machine.
  • Open this folder in Visual Studio Code.
  • Within this workspace, create a file containing the code you want to scan.
  • Save the file.
  • Any identified issues will appear as highlights in the editor and in the Problems panel below.

Below you can find an example index.js file that can be used to verify if the extension is working correctly, it should detect one SAST issue (NoSQL injection) and one exposed secret (Stripe Access Token).

const app = {}

app.get("/payments", (req, res) => {
  const PW = "sk_live_fakestripeapikeyleaked12"
  res.status(200).send(STRIPE_API_KEY)
});

app.registerMethod(
  'fetch',
  Acl.ensure(function* (encryptedToken) {
    try {
      const decrypted = decryptJSON(encryptedToken, ENCRYPTION_ALGORITHM, ENCRYPTION_KEY, OLD_ENCRYPTION_KEY);
      yield management.users.findOne({ _id: decrypted._user });
    } catch (e) {
      console.error(e);
    }
}))

If you'd like to test Open-source dependency scanning you can add a sample package.json file with the following content:

{
  "name": "demo-package-json",
  "dependencies": {
    "minimist": "1.2.5"
  }
}

After this, run npm install or add a package-lock.json file with the following content:

{
  "name": "demo-package-json",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "demo-package-json",
      "dependencies": {
        "minimist": "1.2.5"
      }
    },
    "node_modules/minimist": {
      "version": "1.2.5",
      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw=="
    }
  }
}

Now, open the Open-source dependencies view in the Aikido side bar and click Start Scanning.

Reporting issues that should have been detected

If Aikido failed to detect a secret or a SAST issue, you can report this undetected issue. To do this, select the code containing the issue, right-click, and choose 'Report undetected issue to Aikido'. Provide a brief explanation of why it should have been detected, and then send it to us.

demo-false-negative

Reporting issues that should not have been detected

If Aikido detected an issue it should not have, you can report this issue. To do this, hover over the issue and click 'Aikido: Report false positive'. Provide a brief explanation of why this should not have been detected, and then send it to us. The issue will also be ignored.

demo-false-positive

Commands

Execute Aikido extension commands through the Visual Studio Code Command Palette. Access the Command Palette by using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS). The list below details the available commands:

  • Aikido: Log in: Enter an access token to connect with the Aikido Platform.
  • Aikido: Reload rules: Fetches all SAST rules from the Aikido Platform. Useful when you add new custom rules.
  • Aikido: Toggle showing ignored issues: Toggles the option to show/not show ignored issues. Useful when testing to show all issues that Aikido detects, even ones that are ignored.

How does the extension perform scans on a repository

The integration does three types of scanning: secret, SAST and open-source dependency scanning. It uses Aikido-defined rules, supplemented by any custom rules you add to Aikido. The integration then processes any results to check for false positives or ignored issues. If you wish to see all the results, you can modify this behavior using the Toggle showing ignored issues command (see Commands section below).

How does the extension connect to Aikido

Using the access token that you provided, the extensions will connect and detect the matching repository in Aikido using the Git remote URL or the name of the project folder.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2025 Microsoft