Aikido API Client

A comprehensive Rust CLI client and library for the Aikido Security API. This tool supports both the CI API for pipeline integrations and the Public API for full workspace management.

Features

CI API (Pipeline Integration)

• Differential scans for pull request checks
• Release gating to block deployments with security issues
• Custom result uploads (Checkov, SBOM)
• Automatic region detection from API key

Public API (Workspace Management)

• Workspace & Users: View workspace info, list users
• Issues & Repositories: Export issues, list repos
• Containers & Domains: Manage container scans, domain monitoring
• Compliance: SOC2, ISO 27001, NIS2 status
• Reports & Activity: PDF exports, CI scan history, activity log
• Teams & Clouds: Team management, cloud integrations

Installation

From Source

cargo build --release

The binary will be available at ./target/release/aikido-api-client.

Using Cargo

cargo install aikido-api-client

Quick Start

CI API Setup

1. Get your API key from Aikido Settings

2. Store your API key:

   aikido-api-client apikey <your-api-key>

3. Run a scan:

   aikido-api-client scan <repository_id> <base_commit> <head_commit>

Public API Setup

1. Get your OAuth2 credentials from API Settings

2. Store your credentials:

   aikido-api-client auth <client_id> <client_secret>

3. Access your workspace:

   aikido-api-client workspace
   aikido-api-client repos
   aikido-api-client issues

Commands

CI API Commands

apikey - Configure API Key

aikido-api-client apikey AIK_CI_EU_xxxxx

scan - Differential Scan

Run a scan comparing two commits to find new security issues:

aikido-api-client scan <repository_id> <base_commit> <head_commit> [options]

Options:

• --branch <name> - Branch name being scanned
• --pr-title <title> - Pull request title
• --pr-url <url> - Pull request URL
• --fail-on-sast - Fail if SAST issues found
• --fail-on-iac - Fail if IaC issues found
• --fail-on-secrets - Fail if secrets found
• --minimum-severity <level> - Minimum severity (LOW, MEDIUM, HIGH, CRITICAL)
• --self-managed <scanners> - Comma-separated list of self-managed scanners

scan-release - Release Gating Scan

Check for open security issues before release:

aikido-api-client scan-release <repository_id> <head_commit> [options]

Options:

• --branch <name> - Branch name
• --base-branch <name> - Base branch to compare
• --fail-on-sast, --fail-on-iac, --fail-on-secrets - Fail on specific issue types
• --minimum-severity <level> - Minimum severity level

upload - Upload Custom Results

Upload results from external scanners:

aikido-api-client upload <repository_id> <payload_type> <payload_file> [options]

Payload Types: checkov, json-sbom

Options:

• --scan-id <id> - Associate with an existing scan
• --container-image <name> - Container image name

Public API Commands

auth - Configure OAuth2 Credentials

aikido-api-client auth <client_id> <client_secret>

workspace - Get Workspace Information

aikido-api-client workspace

repos - List Code Repositories

aikido-api-client repos [options]

Options:

• --page <n> - Page number (default: 0)
• --per-page <n> - Results per page (default: 20)
• --include-inactive - Include inactive repositories
• --filter-name <name> - Filter by repository name
• --filter-branch <branch> - Filter by branch name

issues - List Issue Groups

aikido-api-client issues [options]

Options:

• --page <n> - Page number (default: 0)
• --per-page <n> - Results per page (default: 20)
• --group-id <id> - Get details for a specific issue group

containers - List Containers

aikido-api-client containers [options]

Options:

• --page <n>, --per-page <n> - Pagination
• --container-id <id> - Get details for a specific container

domains - Manage Domains and APIs

# Create a new domain
aikido-api-client domains create <name> [--domain-type <type>] [--url <url>]

# Remove a domain
aikido-api-client domains remove <domain_id>

# Start a domain scan
aikido-api-client domains scan <domain_id>

teams - List Teams

aikido-api-client teams [--page <n>] [--per-page <n>]

users - List Users

aikido-api-client users [options]

Options:

• --page <n>, --per-page <n> - Pagination
• --user-id <id> - Get details for a specific user

compliance - Get Compliance Status

aikido-api-client compliance [framework]

Frameworks: soc2, iso27001, nis2, all (default)

reports - Access Reports

# Export PDF report
aikido-api-client reports pdf [--output <filename>]

# List CI scans
aikido-api-client reports ci-scans [--page <n>] [--per-page <n>]

# View activity log
aikido-api-client reports activity-log [--page <n>] [--per-page <n>]

clouds - List Connected Clouds

aikido-api-client clouds

Global Options

• -q, --quiet - Disable console output
• --debug - Enable debug output
• --plain-output - Disable colored output
• --apikey <key> - Use specific API key (overrides stored key)

Exit Codes

Code	Meaning
0	Success - scan passed or command completed
1	Error - API unavailable, invalid arguments, etc.
10	Gate failed - issues found that block the build

Library Usage

Add to your Cargo.toml:

[dependencies]
aikido-api-client = "2.0"
tokio = { version = "1", features = ["full"] }

CI API Example

use aikido_api_client::api::{AikidoClient, ScanOptions};

#[tokio::main]
async fn main() {
    let client = AikidoClient::new("AIK_CI_...");
    
    let options = ScanOptions {
        repository_id: "12345".to_string(),
        base_commit_id: Some("abc123".to_string()),
        head_commit_id: Some("def456".to_string()),
        // ... other options
    };
    
    let result = client.start_scan(options).await.unwrap();
    println!("Scan started: {}", result.scan_id);
}

Public API Example

use aikido_api_client::public_api::PublicApiClient;

#[tokio::main]
async fn main() {
    let mut client = PublicApiClient::new("client_id", "client_secret");
    
    // Get workspace info
    let workspace = client.get_workspace_info().await.unwrap();
    println!("Workspace: {}", workspace.name);
    
    // List repositories
    let repos = client.list_code_repositories(Default::default()).await.unwrap();
    for repo in repos {
        println!("Repo: {}", repo.name);
    }
}

Region Support

The client automatically detects your region from the API key prefix:

• AIK_CI_US_* - US region (app.us.aikido.dev)
• AIK_CI_ME_* - Middle East region (app.me.aikido.dev)
• Default - EU region (app.aikido.dev)

Configuration

Credentials are stored in ~/.config/aikido-api-client/config.toml:

[auth]
api_key = "AIK_CI_..."           # CI API key
client_id = "..."                 # OAuth2 client ID
client_secret = "..."             # OAuth2 client secret

CI/CD Integration Examples

GitHub Actions

- name: Run Aikido Scan
  env:
    AIKIDO_API_KEY: ${{ secrets.AIKIDO_API_KEY }}
  run: |
    aikido-api-client apikey $AIKIDO_API_KEY
    aikido-api-client scan ${{ github.repository_id }} \
      ${{ github.event.pull_request.base.sha }} \
      ${{ github.sha }}

Jenkins Pipeline

stage('Security Scan') {
    environment {
        AIKIDO_API_KEY = credentials('aikido-api-key')
    }
    steps {
        sh 'aikido-api-client apikey ${AIKIDO_API_KEY}'
        sh 'aikido-api-client scan ${REPO_ID} ${GIT_PREVIOUS_COMMIT} ${GIT_COMMIT}'
    }
}

GitLab CI

security_scan:
  script:
    - aikido-api-client apikey $AIKIDO_API_KEY
    - aikido-api-client scan $CI_PROJECT_ID $CI_MERGE_REQUEST_DIFF_BASE_SHA $CI_COMMIT_SHA
  only:
    - merge_requests

CircleCI

- run:
    name: Security Scan
    command: |
      aikido-api-client apikey $AIKIDO_API_KEY
      aikido-api-client scan $CIRCLE_PROJECT_REPONAME $CIRCLE_SHA1~1 $CIRCLE_SHA1

Examples

See the examples directory for complete working examples:

• ci_pipeline.rs - CI/CD pipeline integration
• release_gate.rs - Release gating workflow
• upload_sbom.rs - SBOM upload for container scanning
• public_api_client.rs - Public API usage
• compliance_check.rs - Compliance status checking

License

MIT License - See LICENSE for details.

Links

• Aikido Security
• CI API Documentation
• Public API Documentation
• TypeScript Version