🥋 Applying Aikido: SAST in Web Applications from the Repository

🧠 Summary

In this article, you’ll learn what SAST is and why it’s crucial to incorporate static application security testing from the early stages of development. You’ll discover what Aikido SAST is, a SaaS platform that scans your code in seconds without complex installations. You’ll follow a detailed plan to connect it to your repository, run a scan, and understand the results.

🛡️ Introduction

Static Application Security Testing (SAST) is a white-box technique that analyzes source code, bytecode, or binaries to detect vulnerabilities before execution.

Integrating SAST into the software development lifecycle allows you to:

🐞 Detect issues like SQL injection, XSS, or data leaks
🕒 Reduce remediation time
💸 Lower costs and security risks

🤖 What is Aikido SAST?

Aikido is a SaaS platform for static security analysis that scans your repositories for vulnerabilities without needing to install tools locally.

Key Features:

⚡ Fast scanning: Analysis in under 2 minutes.
☁️ No local setup: 100% cloud-based.
🔐 Privacy-first: Code is not stored after scanning.
🛠️ Detects common risks: SQL Injection, XSS, Path Traversal, SSRF, and more.
🤖 Auto-fix (paid plans): Aikido can automatically propose pull requests to fix vulnerabilities.

🛠️ Step-by-step Implementation

Step 1: Create an Aikido account

Go to https://www.aikido.dev
Click the “Start for Free” button
Sign up with your email or log in using GitHub

Step 2: Connect your repository

Once inside the Aikido dashboard:

Click Connect Your Source Code
Choose your provider: GitHub, GitLab, or Bitbucket
Authorize Aikido to access your repositories
Select the project you want to scan (e.g. web-login-app)

Step 3: Configure SAST scan

On the left menu, go to Scanners
Select Static Code Analysis (SAST)
Choose which branches to scan: main or all
Click Run Scan to launch the analysis

Scanning starts automatically — no technical setup needed.

Step 4: Review results

When the scan is complete, go to the Results Dashboard, where vulnerabilities are grouped by type and severity.

Example result:

⚠️ High severity: SQL Injection in login.php, line 37

Description: Unsanitized parameter detected in SQL query.

Recommendation: Use prepared statements to prevent injections.

Each issue includes:

File name
Line number
Affected code snippet
Severity level (Critical, High, Medium, Low)
Fix suggestion

Step 5: Manual review or auto-fix (for paid plans)

If you have a paid plan, you can enable Auto-fix to allow Aikido to create a pull request with the fix applied.

On the free plan, you’ll need to manually apply changes using the suggestions shown in the dashboard.

Step 6 (Optional): Define custom rules

Want more control?

Go to your project’s Settings in Aikido
Navigate to Custom SAST Rules
Define your own patterns, such as:
- Blocking usage of risky functions like eval()
- Detecting hardcoded API keys in variables

This allows you to tailor the scanner to your team’s security standards.

⚖️ Pros and Cons

✅ Pros

Fast scanning with no local installation
Easy integration with GitHub, GitLab, Bitbucket
Developer-friendly UI
Detects common vulnerabilities (XSS, SQLi, etc.)
Custom rule support
Great for PHP, JavaScript, Python, Java, etc.

❌ Cons

No DAST (Dynamic Analysis)
Some advanced features require paid plans
Limited customization on the free tier
Focused on code scanning only (no infrastructure/IaC)

🧾 Conclusion

Integrating Aikido SAST into your development workflow is a strategic move for any developer or team aiming to improve security with minimal overhead.

Its simplicity, speed, and focus on static code scanning from the repo make it a great entry point into DevSecOps.

Whether you're working with PHP, JavaScript, or other supported languages, Aikido can help you:

Detect vulnerabilities before deploying to production
Improve code quality
Maintain secure development practices

Start scanning from the first commit and keep your app safe effortlessly.