At a glance
- Consolidates SCA, SAST and container scanning into one platform
- Integrated across 100 repositories in a few weeks with one engineer
- Supports 100 developers across GitLab, GitHub and Azure DevOps
- Offers multi-language AppSec support for F#, Rust, C++, C#, Python, React/Typescript
- Enables earlier fixes through merge request workflows
- Advances AutoStore’s secure software development lifecycle (SSDLC) with actionable insights
- Selected Aikido Security ahead of Black Duck and Endor Labs
Challenge
AutoStore’s engineering organization had grown and diversified, with close to 100 developers working across many languages, codebases, and offices worldwide. While some teams had strong security habits, others relied on inconsistent processes or legacy workflows, which created uneven coverage. As the company expanded into more cloud-native development, these gaps became harder to manage.
The engineering manager and CISO set out to strengthen AutoStore’s secure software development lifecycle (SSDLC) and bring clarity and consistency to how security was handled across the company.
AutoStore needed a platform that could provide full AppSec visibility across legacy and cloud-native repositories, support its diverse tech stack and integrate directly with GitHub, GitLab and Azure DevOps.
“Of course, when 100 developers or 10 teams do things themselves, there will be some practices that are good and others that are not so good,” said Vegard Syre Aaker, security software engineer at AutoStore.
Meanwhile, open source risk processes that had historically been built around C++ systems could not scale to support modern development environments.
“We were looking for a security tool that could handle all our programming languages and work with GitHub, GitLab and other systems. Our repositories are very different, so this was not easy. Aikido was one of the few tools that could support everything we needed.”
A developer-led selection
Vegard’s previous experience as a developer shaped AutoStore’s evaluation. The team needed an AppSec platform that developers would actually use and that integrated into existing workflows without friction.
“I was trying to find a tool that I knew could empower the developers. Something they would actually adopt and that would integrate well with our processes.”
This developer-first requirement aligned strongly with Aikido’s approach.
Solution
AutoStore evaluated Aikido alongside Endor Labs, Black Duck and open source tools. Aikido stood out for its intuitive experience, multi-language AppSec support and ability to unify multiple security capabilities into one platform.
“During the proof of concept, we liked the simple and intuitive interface. We also chose Aikido because it was easy to integrate, and it included many security tools in one suite with one dashboard.”
Aikido supported every major language in use and provided both direct integrations and local scanning for complex C++ libraries. While GitHub and Azure DevOps were integrated smoothly earlier in the process, the GitLab rollout demonstrated the platform’s scalability:
“Most of the GitLab integration was done by one security engineer, with little help, in just a few weeks. This included about 100 repositories and 100 developers.”
Aikido’s rapid support and flexibility contributed to the speed of deployment.
“Most problems during the integration and roll-out were resolved quickly together with Aikido, and they are flexible to provide changes to their software if needed.”
Why AutoStore chose Aikido
AutoStore selected Aikido because it:
- Supports every major language in use, including C++, Rust and F#
- Integrates directly with GitHub, GitLab and Azure DevOps
- Consolidates SCA, SAST and container scanning into one platform
- Delivers developer-first workflows and merge request visibility
- Provides actionable results that reduce noise and guide prioritization
Results
Aikido now provides a consistent view of vulnerabilities across all teams and repositories.
“Developers and security engineers now have much better visibility into risks and vulnerabilities. I am sure this will improve the security of our applications over time.”
Aikido’s merge request workflows help catch issues earlier and improve developer engagement.
“Having it as comments in merge requests, potentially blocking them, will help improve the security of the applications over time.”
Aikido also enabled AutoStore to validate newly disclosed vulnerabilities quickly. When its SOC provider flagged a new dependency issue, Aikido already had analysis available.
“I checked Aikido’s blog post and saw that you had tracked that vulnerability for a few days already. I could quickly check if our codebase was affected.”
How AutoStore is expanding its use of Aikido
Already using
Planning to adopt
Evaluating next
“We will test AI penetration testing on one of our applications. It could potentially partially remove our external penetration testing.”
Aikido as the most actionable layer of the SSDLC
Vegard emphasizes that a secure development lifecycle includes many components such as risk management, threat modeling and penetration testing. In practice, Aikido became the most actionable part of the framework.
“The rest of the organization is very focused on Aikido because it is actionable. It is much more actionable compared to other topics that are more vague.”
Clear steps, rapid visibility and developer-focused workflows allow teams to strengthen security collaboratively.
“If I had done it again, I would probably have chosen a security tool quite quickly and then built on top of that.”
Final verdict
“Aikido delivers a focused product that empowers engineering teams to manage vulnerabilities effectively. They have clearly prioritized usability, which makes vulnerability management accessible and actionable.”
