Review
“Aikido makes your security one of your USPs thanks to their integrated automated reporting solution, which helps for ISO & SOC2 certification”

Fabrice G
Managing director at Kadonation
Aikido scans your code for exposed API keys, credentials, and tokens—before they ever reach production.
Importance of Secrets Detection
Recognizes secrets that are known to be safe and auto-triages them (e.g. Stripe publishable keys, Google Maps API keys used in front-end) so they don’t trigger alerts.
Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.
Replace your scattered toolstack with one platform that does it all—and shows you what matters.
Review
Fabrice G
Managing director at Kadonation
Secret detection scans your code for exposed API keys, passwords, tokens, and credentials. Leaked secrets can give attackers direct access to your systems, leading to data breaches or costly cloud misuse. Even a single AWS key in a repo can be exploited. Secret scanning helps catch these issues before they're pushed or merged, protecting your infrastructure from unauthorized access.
Aikido scans your code and config files for known secret patterns and high-entropy strings. It detects API keys, tokens, private keys, DB creds, and more. Using pattern matching, entropy analysis, and validation logic, it identifies real secrets while minimizing false alarms. It flags anything sensitive enough to be dangerous if exposed.
By default, Aikido scans the current code, but it can also scan full Git history to catch secrets exposed in old commits. Historical scanning is optional and configurable - ideal for detecting secrets that were added and removed but still accessible in repo history.
You can integrate Aikido into CI pipelines, blocking builds or PRs with detected secrets. It also supports IDE extensions and pre-commit hooks for real-time feedback during development. This ensures secret detection happens automatically - before secrets hit production branches.
Aikido is optimized to reduce false positives. It avoids flagging known public keys (e.g., Stripe publishable keys) and filters out test values or random data. When possible, it verifies secrets for validity before raising alerts, so the results you get are relevant and actionable.
Yes. You can add ignore rules, patterns, or annotations to prevent Aikido from flagging known test values. You can also mark findings as "won't fix" or safe in the dashboard. This tuning helps reduce alert fatigue and lets you control what gets flagged.
Aikido alerts you immediately and can block the commit or build (if integrated into CI). It shows the file, line, and key type, and recommends revoking the secret. While Aikido doesn't revoke keys directly, it highlights active credentials and guides you on what to do next.
Aikido offers detection quality on par with GitGuardian/Gitleaks but integrates secret scanning into a broader security platform. It reduces noise with contextual triage and unifies alerts across code, cloud, IaC, and secrets. It's one tool for all risks - no juggling multiple platforms.
Yes, it scans all text files - code, YAML, JSON, .env files, Terraform, commit messages, and more. Secrets often hide in configs or manifests, and Aikido checks them all to catch accidental leaks wherever they appear.
Aikido complements GitHub scanning and hooks with broader coverage (multi-platform support), centralized alerting, and deeper context. It doesn't rely on dev setup, reduces false positives, and catches secrets across all repos - even if hooks are bypassed. It adds layered protection and better visibility.
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.