Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Aikido Security integration syncs vulnerability and repository-scanning data from Aikido into Matproof, so the security findings your scanner produces become evidence for compliance controls — without copy-pasting CSVs every quarter. Aikido covers SAST, SCA (dependency vulnerabilities), IaC scanning, container scanning, surface monitoring, secrets scanning, and license compliance. Matproof ingests the issues Aikido finds and routes them to the unified Findings view, where they’re tracked through to closure alongside findings from internal audits, pen tests, the device agent, and elsewhere. Evidence ingested:
  • Open security issues by severity (informational, low, medium, high, critical)
  • Repository scan activity (which repos scanned, when last scanned)
  • Stale-scan detection (repos not scanned in 7+ days)
  • Issue-count thresholds (configurable — fail the check if open issues exceed your threshold)
  • Severity-breakdown summaries

Prerequisites

  • Aikido Security workspace with at least one repository or asset configured
  • Aikido API credentials (Client ID + Client Secret)
  • Matproof Admin or Owner role

Connecting Aikido

1

Generate API credentials in Aikido

In Aikido Security: Settings → API → Create API client. Issue a client with the read scope on Issues and Repositories. Copy the Client ID and Client Secret — Aikido shows the secret only once.
2

Add credentials to Matproof

In Matproof: Settings → Integrations → Aikido Security → Connect. Paste the Client ID and Client Secret. Matproof tests the connection and runs the first scan.
3

Configure check thresholds

Open Integrations → Aikido → Configure and set the thresholds Matproof uses to evaluate your security posture:
SettingWhat it does
Minimum severity to fail onIssues at this severity or higher cause the check to fail (low / medium / high / critical)
Maximum allowed open issuesIf total open issues exceed this number, the check fails regardless of severity
Repository filterRestrict to specific repos; leave empty for all repos
Include snoozed issuesWhether snoozed (deferred) issues count against the threshold
4

Verify it works

Click Run on any Aikido check in the integration view. You should see a recent run with passing or failing evidence within seconds. If a check fails with HTTP 401: Unauthorized, verify the Client ID and Client Secret and confirm the read scope is enabled.

What gets mapped to which controls

Evidence CollectedControl Examples
Open critical/high CVEs below thresholdVulnerability management (ISO 27001 A.8.8, SOC 2 CC7.1, NIS 2 Article 21)
Repositories scanned within last 7 daysSecure SDLC / change management evidence
Stale scans surfaced as findingsVulnerability management process effectiveness
Severity-tier breakdownRisk-based vulnerability prioritization (ISO 27001 A.5.12)
Snooze rationale (when included)Risk-acceptance documentation

Aikido findings in the unified Findings view

Every issue Aikido reports becomes a finding in Matproof’s unified Findings view, tagged with source = aikido. From there:
  • Triage, assign owners, set due dates as you would any other finding
  • Convert high-severity issues to Corrective Actions for tracked remediation
  • Mark closed when Aikido shows the issue resolved on its next sync — or override manually with attached evidence
This means your weekly findings review covers Aikido’s output alongside internal audit findings, pen-test results, and device-agent CVEs — one queue, one taxonomy.

Common issues

HTTP 401: Unauthorized on every check

Most often the credentials don’t have the read scope on the right resources. Re-issue the API client in Aikido with Issues: read and Repositories: read explicitly granted, and update the credentials in Matproof.

”Stale scan” check fails right after connecting

The 7-day staleness window starts when Aikido first scans a repo, not when Matproof connects. If you connected Aikido and added repos in the same week, all repos may show as “never scanned” for the first day or two. Trigger manual scans in Aikido or wait for the scheduled scans to complete.

Issue count differs between Matproof and Aikido dashboard

Matproof’s threshold check filters by your configured minimum severity and (optionally) excludes snoozed issues. The Aikido dashboard shows everything. Check your Matproof configuration under Integrations → Aikido → Configure — adjusting minimum severity to “informational” makes the counts match.

Disconnecting

Go to Settings → Integrations → Aikido Security → Disconnect. The encrypted credentials are purged from Matproof. In Aikido: also revoke the API client from Settings → API → [client] → Revoke to fully cut access on the Aikido side. Previously ingested findings remain in Matproof’s Findings view (so historical audit context is preserved). Future Aikido scans won’t sync until you reconnect.

References

Findings

Where Aikido-ingested issues land

Corrective Actions

Track remediation of high-severity findings to closure