> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Aikido Security Integration

> Connect Aikido to ingest vulnerability scan results and repository security findings into Matproof's unified Findings view.

## Overview

The Aikido Security integration syncs vulnerability and repository-scanning data from Aikido into Matproof, so the security findings your scanner produces become evidence for compliance controls — without copy-pasting CSVs every quarter.

Aikido covers SAST, SCA (dependency vulnerabilities), IaC scanning, container scanning, surface monitoring, secrets scanning, and license compliance. Matproof ingests the issues Aikido finds and routes them to the unified [Findings](/features/findings) view, where they're tracked through to closure alongside findings from internal audits, pen tests, the device agent, and elsewhere.

**Evidence ingested:**

* Open security issues by severity (informational, low, medium, high, critical)
* Repository scan activity (which repos scanned, when last scanned)
* Stale-scan detection (repos not scanned in 7+ days)
* Issue-count thresholds (configurable — fail the check if open issues exceed your threshold)
* Severity-breakdown summaries

***

## Prerequisites

* Aikido Security workspace with at least one repository or asset configured
* Aikido API credentials (Client ID + Client Secret)
* Matproof Admin or Owner role

***

## Connecting Aikido

<Steps>
  <Step title="Generate API credentials in Aikido">
    In Aikido Security: **Settings → API → Create API client**. Issue a client with the **read** scope on Issues and Repositories. Copy the **Client ID** and **Client Secret** — Aikido shows the secret only once.
  </Step>

  <Step title="Add credentials to Matproof">
    In Matproof: **Settings → Integrations → Aikido Security → Connect**. Paste the Client ID and Client Secret. Matproof tests the connection and runs the first scan.
  </Step>

  <Step title="Configure check thresholds">
    Open **Integrations → Aikido → Configure** and set the thresholds Matproof uses to evaluate your security posture:

    | Setting                         | What it does                                                                               |
    | ------------------------------- | ------------------------------------------------------------------------------------------ |
    | **Minimum severity to fail on** | Issues at this severity or higher cause the check to fail (low / medium / high / critical) |
    | **Maximum allowed open issues** | If total open issues exceed this number, the check fails regardless of severity            |
    | **Repository filter**           | Restrict to specific repos; leave empty for all repos                                      |
    | **Include snoozed issues**      | Whether snoozed (deferred) issues count against the threshold                              |
  </Step>

  <Step title="Verify it works">
    Click **Run** on any Aikido check in the integration view. You should see a recent run with passing or failing evidence within seconds. If a check fails with `HTTP 401: Unauthorized`, verify the Client ID and Client Secret and confirm the **read** scope is enabled.
  </Step>
</Steps>

***

## What gets mapped to which controls

| Evidence Collected                      | Control Examples                                                          |
| --------------------------------------- | ------------------------------------------------------------------------- |
| Open critical/high CVEs below threshold | Vulnerability management (ISO 27001 A.8.8, SOC 2 CC7.1, NIS 2 Article 21) |
| Repositories scanned within last 7 days | Secure SDLC / change management evidence                                  |
| Stale scans surfaced as findings        | Vulnerability management process effectiveness                            |
| Severity-tier breakdown                 | Risk-based vulnerability prioritization (ISO 27001 A.5.12)                |
| Snooze rationale (when included)        | Risk-acceptance documentation                                             |

***

## Aikido findings in the unified Findings view

Every issue Aikido reports becomes a finding in Matproof's unified [Findings](/features/findings) view, tagged with source = `aikido`. From there:

* Triage, assign owners, set due dates as you would any other finding
* Convert high-severity issues to [Corrective Actions](/features/corrective-actions) for tracked remediation
* Mark closed when Aikido shows the issue resolved on its next sync — or override manually with attached evidence

This means your weekly findings review covers Aikido's output alongside internal audit findings, pen-test results, and device-agent CVEs — one queue, one taxonomy.

***

## Common issues

### `HTTP 401: Unauthorized` on every check

Most often the credentials don't have the **read** scope on the right resources. Re-issue the API client in Aikido with **Issues: read** and **Repositories: read** explicitly granted, and update the credentials in Matproof.

### "Stale scan" check fails right after connecting

The 7-day staleness window starts when Aikido first scans a repo, not when Matproof connects. If you connected Aikido and added repos in the same week, all repos may show as "never scanned" for the first day or two. Trigger manual scans in Aikido or wait for the scheduled scans to complete.

### Issue count differs between Matproof and Aikido dashboard

Matproof's threshold check filters by your configured **minimum severity** and (optionally) excludes snoozed issues. The Aikido dashboard shows everything. Check your Matproof configuration under **Integrations → Aikido → Configure** — adjusting **minimum severity** to "informational" makes the counts match.

***

## Disconnecting

Go to **Settings → Integrations → Aikido Security → Disconnect**. The encrypted credentials are purged from Matproof.

In Aikido: also revoke the API client from **Settings → API → \[client] → Revoke** to fully cut access on the Aikido side.

Previously ingested findings remain in Matproof's Findings view (so historical audit context is preserved). Future Aikido scans won't sync until you reconnect.

***

## References

* [Aikido API documentation](https://apidocs.aikido.dev/reference)

<CardGroup cols={2}>
  <Card title="Findings" href="/features/findings">
    Where Aikido-ingested issues land
  </Card>

  <Card title="Corrective Actions" href="/features/corrective-actions">
    Track remediation of high-severity findings to closure
  </Card>
</CardGroup>
