Saying that you’ll “shift left” is easy; it makes sense. After all, it’s obvious that preventing issues from happening should shift as far left as the IDE. Resolving issues at that stage gives you the best chance of being more secure. But before resolving an issue, you need to find it.
Aikido has an IDE integration for reporting SAST findings immediately. When you enter vulnerable code in the IDE, Aikido’s plugin can detect it for you, as shown below.
.png)
But there is an important difference between SAST findings and AutoTriage findings. Next to being able to offer a complete cybersecurity stack (as opposed to one solution in the stack), one of Aikido’s main unique selling points is noise reduction. When Aikido reports something, there is a fairly high chance that it is actually exploitable.
The way Aikido handles noise reduction for SAST findings is to automatically ignore findings in certain test files and to carefully tune the hardcoded patterns for detection to avoid too many false positives, basically a whole set of tooling that is used internally to reduce these false positives that developers hate so much. This reduces the false positive rate significantly. But an additional bazooka in the tool box is AutoTriage - the ability to send the code to an LLM to understand more of the context of that code, so more false positives can be filtered away.
It works as follows: when the SAST tool reports a finding, you can hover over the underlined code. Next, you can click “Assess impact with Aikido AI”. This will call AutoTriage in the background.
.png)
A few seconds later, you will get a message like the one shown below. In this case, it is a confirmation that the SAST finding is a true positive and you should fix it before creating a pull request.
.png)
This feature should help developers understand potential vulnerabilities even earlier. By moving that responsibility earlier in the development process, a lot of overhead is resolved later down the line.
.avif)
