We’re making a fundamental change to how teams use SAST.
SAST in the IDE is now free.
This means developers can run SAST scans directly inside their editor, with real-time feedback and project-wide visibility, using the same analysis engine and SAST rules as Aikido. Detection runs automatically as developers work, without limiting coverage at the detection layer.
The Aikido approach: why SAST belongs in the IDE
SAST is most valuable when developers can act on findings while they still have full context. In many teams, SAST scans still run primarily in CI or later review stages. While effective for coverage, this timing often introduces friction: findings arrive after code has already moved forward, ownership is less clear, and remediation competes with new work.
Running scans in the IDE shifts detection earlier in the development lifecycle. Issues surface as code is written or modified, inside the same environment developers already use. This keeps context intact and makes it easier to understand and address findings before they propagate downstream.
IDE-level SAST scans do not replace later-stage controls. Instead, it reduces the number of issues that ever reach them.
Real-time SAST while writing code
%20(1).gif)
Aikido’s IDE plugins integrate directly into the editor and run real-time SAST scanning automatically.
Every time a developer opens or saves a file, the plugin runs a background scan using the same analysis engine as the Aikido platform. The scan detects SAST issues such as insecure coding patterns, injection risks, unsafe deserialization, and other code-level vulnerabilities.
Detected issues appear:
- Inline, underlined or highlighted in the editor.
- In the Aikido sidebar, grouped by severity and category.
- In the Problems panel, for quick navigation.
Additional context is available on hover, allowing developers to understand the issue without leaving the editor.
Project-wide SAST inside the IDE
%20(1).gif)
Real-time feedback is complemented by full workspace scans, which allow developers to analyze more than just the files currently open.
Workspace scans let developers:
- establish a security baseline for a repository
- review larger refactors or changes
- validate broader modifications before pushing code
During a workspace scan, Aikido runs the same SAST checks across the selected scope. Results remain visible inline in the editor and in a Scan Results panel, grouped by category, keeping review inside the IDE rather than in a separate tool.
Consistent SAST rules and signal
SAST scans in the IDE uses the same SAST rules, analysis engine, and severity definitions as the Aikido platform.
There is no reduced or IDE-specific ruleset. Findings surfaced locally are consistent with what teams see later in other workflows, helping avoid confusion or mismatched prioritization.
Fixing SAST issues before CI with AutoFix
.gif)
Detecting SAST issues early is only part of the problem. The real challenge is turning findings into correct code changes without slowing development.
For supported SAST findings, Aikido offers AI AutoFix, which generates reviewable fixes directly in the IDE, at the moment an issue is introduced.
AutoFixes are created per SAST rule and use tuned remediation instructions to address the root cause while keeping functionality intact. Each fix is shown as a clear diff that developers can review and apply immediately. Once applied, the file is automatically rescanned to confirm the issue is resolved.
By fixing SAST issues before they ever reach pull requests or CI, teams reduce context switching and keep remediation part of everyday development.
This helps prevent avoidable SAST findings from ever reaching pull requests or CI.
Supported IDEs and languages
SAST in the IDE is available across common development environments, including VS Code, JetBrains IDEs, Visual Studio, Cursor, Windsurf, Kiro, and Google Antigravity.
IDE SAST supports modern production languages including JavaScript, TypeScript, Python, Java, .NET, PHP, Ruby, Go, Elixir, Rust, Kotlin, Scala, Swift, and C/C++.
SAST, where development actually happens
Running SAST scans directly in the IDE changes when and how developers engage with security findings. Issues surface as code is written, not after it has already moved through review or CI. Context stays intact, ownership is clear, and fixes are simpler.
By keeping SAST inside the editor, fewer issues reach later stages of the pipeline, and SAST becomes part of everyday development rather than a separate security step.
Get started with SAST in the IDE
Install the Aikido plugin for your IDE and SAST scans will run automatically as you work.
Explore IDE integrations here: https://help.aikido.dev/ide-plugins
Secure your software now
.avif)
