Skip to main content

Overview

Aikido is a security platform that provides vulnerability scanning across your software supply chain, including open-source dependencies and container images. This integration connects Backline with Aikido to automatically import vulnerability findings, enabling centralized remediation workflows.

What You Can Do

With the Aikido integration, Backline can:
  • Automatically import SCA vulnerabilities detected in open-source dependencies
  • Automatically import container image vulnerabilities detected in your container images
  • Track vulnerabilities detected across your repositories and container images
  • Create remediation workflows for imported vulnerabilities
  • Maintain vulnerability detection timestamps from Aikido
  • Centralize security vulnerabilities from multiple scanners in one place

Prerequisites

Before connecting Aikido, ensure you have:
  • An Aikido account with permission to create API clients
  • Access to the Integration Hub in Backline
  • A connected source control management (SCM) integration in Backline (e.g., GitHub, GitLab) for SCA findings

Creating an API Client

Aikido authenticates API requests using an OAuth2 client-credentials API client. You must have permission to create API clients in your Aikido workspace.
1

Log in to Aikido

Access your Aikido dashboard at https://app.aikido.dev
2

Navigate to API Clients

Go to Settings, then open the API Clients section.
3

Create an API Client

Click to create a new API client and enter a name to identify it (e.g., Backline Integration).
4

Select Scopes

Grant the API client the following scopes:
  • basics:read
  • issues:read
  • repositories:read
These provide sufficient access for Backline to fetch vulnerability findings and resolve the repositories they affect.
5

Copy Credentials

Copy both the Client ID and Client Secret. Store them securely as the secret will only be shown once.
Store your Client ID and Client Secret securely. The Client Secret will only be shown once during creation.

Connecting Aikido

1

Navigate to Integrations

In Backline, go to the Integration Hub from the main menu.
2

Select Aikido

Find and click on the Aikido integration card.
3

Enter Connection Details

In the connection form, enter:
  • Client ID: The Client ID from your Aikido API client
  • Client Secret: The Client Secret from your Aikido API client
Aikido is hosted at a fixed location (https://app.aikido.dev), so there is no API endpoint or URL to configure.
4

Configure Scan Options

Choose which vulnerability types Backline should import:
  • Scan SCA Vulnerabilities: Import vulnerabilities detected in open-source dependencies (enabled by default)
  • Scan Container Image Vulnerabilities: Import vulnerabilities detected in container images (enabled by default)
5

Test Connection

Click Connect to verify your credentials. Backline will authenticate with Aikido and confirm the connection is valid.

Scan Options

Backline supports two types of findings from Aikido, which can be enabled or disabled independently:
OptionDefaultDescription
Scan SCA VulnerabilitiesEnabledImports vulnerabilities detected in open-source dependencies
Scan Container Image VulnerabilitiesEnabledImports vulnerabilities detected in container images
Disabling an option reduces the volume of imported findings to only the relevant asset type.

How It Works

Once connected, Backline will:
  1. Fetch Vulnerabilities: Periodically query the Aikido API for open vulnerability findings
  2. Map to Repositories: Associate SCA & Container Image vulnerabilities with the correct repositories in your Backline workspace
  3. Track Detection Time: Preserve the original detection timestamp from Aikido

Triage Behavior

Backline respects the triage decisions you make in Aikido:
  • Ignored and snoozed issues are not imported: Findings that you have ignored or snoozed in Aikido are not ingested into Backline.
  • Adjusted severities are honored: If you change the severity of a finding in Aikido, Backline imports it with your adjusted severity.

Scan Schedule

After connecting Aikido, Backline automatically schedules periodic scans to fetch new vulnerabilities. The scan runs every 6 hours to ensure your vulnerabilities stay up to date.
The initial scan begins shortly after the integration is connected. You can view imported findings in the Vulnerabilities section.

Limitations

The Aikido integration is read-only in this release. Backline imports findings from Aikido but does not write back any changes to Aikido — triage decisions, status changes, and comments made in Backline are not synced to Aikido.

Managing the Integration

Viewing Connection Status

To check your Aikido connection:
  1. Open the Integration Hub
  2. Find the Aikido card
  3. A Configure button indicates the integration is connected

Reconnecting

If your credentials expire or need to be updated:
  1. Click Configure on the Aikido card
  2. Enter the new Client ID and Client Secret
  3. Click Connect to verify the new credentials

Troubleshooting

Connection Failed — Authentication Error

If Backline cannot authenticate with Aikido:
  • Verify your Client ID and Client Secret are correct
  • Confirm the API client has not been deleted or disabled in Aikido
  • Ensure the API client has the basics:read, issues:read, and repositories:read scopes
  • Ensure the credentials were copied correctly (the Client Secret is only shown once)

Missing Vulnerabilities

If expected vulnerabilities are not appearing:
  • Only SCA and container image vulnerabilities are imported
  • Issues that are ignored or snoozed in Aikido are not imported
  • For SCA findings, verify the relevant repositories are accessible to Backline via your connected SCM integration
  • Confirm the Scan SCA Vulnerabilities or Scan Container Image Vulnerabilities option is enabled for the finding type you expect

SCA Findings Not Matched to Repositories

If SCA vulnerabilities are not appearing for certain repositories:
  • Backline filters SCA findings to repositories accessible via your connected SCM integration
  • Ensure the repository is connected and visible in Backline through your GitHub or GitLab integration