Aikido Security Extension for Visual Studio Code

Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important to solve. The Aikido Security Visual Studio Code extension scans for secrets and SAST issues and offers real-time scans with inline results and problem highlighting.

Usage

Install

Install the Aikido extension in Visual Studio Code. The integration will prompt you to enter an access token, this can be found in the Aikido Platform by navigating to Integrations > IDE > Visual Studio Code. Now the extension is connected to your Aikido account and activated.

Scanning

The integration scans your codebase for secrets, API keys and SAST code issues. It runs scans whenever you open or save a file.

Every time you make and save changes in a file, a scan runs. If any issues are detected, they are highlighted in the editor and also displayed in the Problems panel. When you hover over a detected SAST issue, additional context about the problem is provided.

How to test this extension

If this is your first time using this extension and you want to explore its capabilities, we suggest testing it with our example file below.

• Create a folder on your local machine.
• Open this folder in Visual Studio Code.
• Within this workspace, create a file containing the code you want to scan.
• Save the file.
• Any identified issues will appear as highlights in the editor and in the Problems panel below.

Below you can find an example index.js file that can be used to verify if the extension is working correctly, it should detect one SAST issue (NoSQL injection) and one exposed secret (Stripe Access Token).

const app = {}

app.get("/payments", (req, res) => {
  const PW = "sk_live_fakestripeapikeyleaked12"
  res.status(200).send(STRIPE_API_KEY)
});

app.registerMethod(
  'fetch',
  Acl.ensure(function* (encryptedToken) {
    try {
      const decrypted = decryptJSON(encryptedToken, ENCRYPTION_ALGORITHM, ENCRYPTION_KEY, OLD_ENCRYPTION_KEY);
      yield management.users.findOne({ _id: decrypted._user });
    } catch (e) {
      console.error(e);
    }
}))

Reporting issues that should have been detected

If Aikido failed to detect a secret or a SAST issue, you can report this undetected issue. To do this, select the code containing the issue, right-click, and choose 'Report undetected issue to Aikido'. Provide a brief explanation of why it should have been detected, and then send it to us.

Reporting issues that should not have been detected

If Aikido detected an issue it should not have, you can report this issue. To do this, hover over the issue and click 'Aikido: Report false positive'. Provide a brief explanation of why this should not have been detected, and then send it to us. The issue will also be ignored.

Commands

Execute Aikido extension commands through the Visual Studio Code Command Palette. Access the Command Palette by using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS). The list below details the available commands:

• Aikido: Log in: Enter an access token to connect with the Aikido Platform.
• Aikido: Reload rules: Fetches all SAST rules from the Aikido Platform. Useful when you add new custom rules.
• Aikido: Toggle showing ignored issues: Toggles the option to show/not show ignored issues. Useful when testing to show all issues that Aikido detects, even ones that are ignored.

How does the extension perform scans on a repository

The integration does two types of scanning: secret scanning with Gitleaks and SAST scanning with Semgrep. It uses Aikido-defined rules, supplemented by any custom rules you add to Aikido. The integration then processes any results to check for false positives or ignored issues. If you wish to see all the results, you can modify this behavior using the Toggle showing ignored issues command (see Commands section below).

The integration first looks for a local install of Gitleaks to run secret scanning with. If it can't find one, it attempts to use a binary suitable for your operating system. There is support for Windows, Linux, and Mac. If your OS or architecture isn't on this list, we recommend you install gitleaks directly on your machine.

How does the extension connect to Aikido

Using the access token that you provided, the extensions will connect and detect the matching repository in Aikido using the Git remote URL or the name of the project folder.