Aikido

Import application security findings from Aikido Security into the Praetorian Guard Platform as risks on code repositories and domains, with automatic vendor-closure sync and optional two-way write-back.

Overview

The Aikido Security integration connects the Praetorian Guard Platform (PGP) with your Aikido workspace, importing application security findings as risks attached to your code repositories and domains. Aikido consolidates SAST, open-source dependency analysis, secrets detection, infrastructure-as-code scanning, container scanning, and DAST surface monitoring into a single developer-centric platform. PGP imports these findings so application security posture appears alongside your broader attack surface — infrastructure assets, vulnerabilities, and threat intelligence — in a single view.

By default the integration is a one-way pull: PGP polls your Aikido workspace on a regular automated schedule (and on demand), imports in-scope findings, and automatically reflects vendor-side closures back onto existing risks — while always preserving decisions your operators make in PGP. An optional, off-by-default write-back feature additionally pushes operator decisions in PGP back to Aikido — accepts and deletes mark the issue ignored, reopens un-ignore it, and severity edits adjust the Aikido severity — so a risk decision made in either console is reflected in both.

What the Integration Does

  • Imports Aikido findings as PGP risks attached to the affected code repository or domain.
  • Creates the affected repositories and domains as non-scanned (informational) assets so findings have a home in your inventory without joining attack-surface scanning.
  • Collapses CVE-bearing findings to the bare CVE name (for example, CVE-2023-26136) so the same vulnerability reported by multiple sources de-duplicates cleanly.
  • Carries a deep link on every risk (aikido_issue_url) back to the exact issue in your Aikido console.
  • Synchronizes vendor closures: issues fixed or ignored in Aikido transition their PGP risks automatically, subject to the operator-decisions-win rules described below.
  • Supports multiple Aikido workspaces on one PGP account — every risk is namespaced by workspace, so findings never collide.
  • Optionally (off by default) pushes operator decisions back to Aikido: accepting or deleting an Aikido-sourced risk marks the corresponding issue ignored (with the operator recorded in the reason), reopening it un-ignores the issue, and severity edits adjust the Aikido severity. See Write-Back.

Prerequisites

  • An Aikido workspace on a plan tier that includes the Public REST API.
  • Workspace admin access in Aikido (API client creation is admin-only).
  • Your workspace's region: EU (app.aikido.dev), US (app.us.aikido.dev), or ME (app.me.aikido.dev).

Setup

  1. In the Aikido console, navigate to Settings → Integrations → Public REST API and create a new API client.
  2. Grant these five read scopes: issues:read, repositories:read, domains:read, basics:read, and containers:read. If you plan to enable the optional write-back, also grant issues:write.
  3. Copy the Client ID and Client Secret immediately — the secret is shown only once at creation.
  4. In PGP, navigate to Integrations → Application Security Posture Management → Aikido.
  5. Enter the Client ID and Client Secret, select your workspace region, and — if you want two-way sync — enable write-back (the option to push Guard changes back to Aikido), then connect. Credentials are validated immediately against your workspace (including the issues:write scope when write-back is enabled); on success, the first import job is queued.

To connect additional workspaces, add another connection on the Aikido integration tile with that workspace's own API client.

What Data Is Synced

Code Repository Findings

SAST, open-source dependency (SCA), leaked secret, infrastructure-as-code, end-of-life runtime, license, SCM configuration, and malware findings are imported as risks on the affected code repository. The repository is created as a non-scanned asset identified by its repository URL. Repositories must be connected to a Git provider in Aikido (GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted) — sample repositories without a real repository URL are skipped.

Container Findings

Container image findings are routed to the container's linked code repository, keeping the finding actionable where the fix happens. Container images with no linked code repository are skipped.

Domain (DAST) Findings

Surface-monitoring and DAST findings are imported as risks on the affected domain when the domain is publicly routable or internal. Domains that are neither are excluded.

Out of Scope

Cloud/CSPM, mobile, and AI pentest finding types are not imported in this version. Skipped findings are counted in the import job's logs, never silently dropped.

Severity Mapping

Aikido's severity enum maps directly to PGP severity: critical → Critical, high → High, medium → Medium, low → Low. Aikido's 1–100 numeric scores are preserved as metadata on each risk but never determine PGP severity. A finding whose severity Aikido does not report is skipped rather than imported at a default severity.

Status Mapping

Aikido statusFirst time PGP sees the findingEffect on an existing PGP risk
OpenImported as DetectedRefreshed each poll
SnoozedImported as Detected with a snooze_until attributeStays open — snoozing affects visibility in Aikido, never closure in PGP
IgnoredNot imported (closure history is never imported)Detected → Accepted, mirroring your team's decision in Aikido. Un-ignoring later does not reopen the risk
Closed (fixed and verified by an Aikido rescan)Not importedDetected → Remediated. A risk your operators promoted to Open also moves to Remediated on a genuine fix

Your operators always win. Risks marked Accepted or deleted in PGP are never modified by Aikido status changes, and a vendor ignore never closes a risk an operator has promoted to Open — only a verified fix does. Closures older than 30 days are not applied, so an extended sync outage fails toward visibility rather than silent closure.

Write-Back (Optional)

When write-back is enabled on the connection (it is off by default), operator decisions on Aikido-sourced risks in PGP are pushed back to your Aikido workspace, making the sync two-way:

Action in PGPEffect in Aikido
Risk acceptedIssue marked ignored, reason Accepted in Praetorian Guard by <operator> plus the acceptance comment when provided
Risk deletedIssue marked ignored, reason Deleted in Praetorian Guard by <operator>
Accepted or deleted risk reopenedIssue un-ignored, reason Reopened in Praetorian Guard by <operator>
Risk severity edited (Critical/High/Medium/Low)Issue severity adjusted to match, reason Severity adjusted in Praetorian Guard by <operator>. Severity edits now persist — without write-back, the next poll resets PGP severity from the vendor value
Risk marked RemediatedNothing — Aikido has no close API; issues close only when Aikido's own rescan verifies the fix. Pull-only by design

Details worth knowing:

  • Scope: write-back requires the additional issues:write API scope (it covers all write operations). With write-back off, the scope is not required and PGP performs no writes at all.
  • Only Aikido-sourced risks are pushed. Risks found by PGP's own scanning or other integrations are never written to Aikido.
  • Informational and Exposure severities have no Aikido equivalent and are not pushed.
  • Snoozing remains pull-only: snoozed issues keep their snooze_until attribute in PGP, and PGP has no snooze action to push.
  • No feedback loops. Aikido marks API-initiated changes distinctly, and every push lands the issue in exactly the state PGP's next poll maps back to the risk's current status — the two systems converge rather than ping-pong.
  • Best-effort delivery. Pushes happen asynchronously after the operator's action; an Aikido outage never blocks or fails the action in PGP. Delivery issues are visible in the integration's job logs.

API Endpoints Used

EndpointPurpose
POST /api/oauth/tokenOAuth client-credentials token exchange
GET /api/public/v1/workspaceConnect-time credential validation
GET /api/public/v1/issues/exportFull workspace findings export (each poll)
GET /api/public/v1/repositories/codeResolve code repositories referenced by findings
GET /api/public/v1/containersResolve container-to-repository links
GET /api/public/v1/domainsResolve domains referenced by findings
PUT /api/public/v1/issues/{issue_id}/ignoreWrite-back: accept/delete (only when enabled)
PUT /api/public/v1/issues/{issue_id}/unignoreWrite-back: reopen (only when enabled)
POST /api/public/v1/issues/{issue_id}/severity/adjustWrite-back: severity edit (only when enabled)

All requests are paced to respect Aikido's per-workspace rate limit (roughly 20 calls per minute) and originate from Praetorian's static egress IPs, which you can allowlist.

Troubleshooting

  • Connection fails immediately — verify the selected region matches your workspace and the Client Secret is current. The secret is shown only once; if lost, recreate the API client.
  • Import job fails with a missing-scope error — edit or recreate the API client so it carries all five read scopes listed in Setup (plus issues:write if write-back is enabled).
  • Connecting with write-back enabled fails with a missing-scope error — the API client lacks issues:write. Add the scope to the client in Aikido (or disable write-back) and reconnect.
  • A PGP decision (accept, delete, reopen, severity edit) didn't appear in Aikido — confirm write-back is enabled on the connection, the risk is Aikido-sourced, and the API client still carries issues:write; then check the integration's job logs.
  • A repository's findings don't appear — confirm the repository is connected to a Git provider in Aikido. Sample/demo repositories without a real repository URL are skipped, with a counted reason in the job log.
  • A domain's findings don't appear — domains that are neither publicly routable nor internal are excluded by design.
  • A closure didn't apply — only Aikido-sourced risks reconcile; operator-Accepted and deleted risks are never touched; Open risks only close on a verified fix; and closures older than 30 days are skipped.
  • The first sync takes a while — Aikido enforces roughly 20 API calls per minute per workspace, so PGP paces its requests. An initial import across many repositories, containers, and domains can take several minutes to complete.

Security

  • By default the API client requires only read scopes, and the integration never writes to your Aikido workspace. The exception is the optional write-back: when you explicitly enable it, PGP performs exactly three kinds of writes — ignoring, un-ignoring, and adjusting the severity of issues that correspond to Aikido-sourced risks — and nothing else.
  • Credentials are validated at connect time and stored encrypted; the Client Secret is never displayed after entry.
  • Integration traffic originates from Praetorian's pinned static IP ranges.
  • Console deep links are constructed from fixed regional hosts and numeric issue identifiers only.