合气道代码审计

合气道代码审计
Aikido Code Audit

原始链接: https://www.aikido.dev/blog/introducing-code-audit-find-complex-vulnerabilities-hidden-in-your-codebase

随着人工智能驱动的网络攻击日益复杂，传统的静态应用程序安全测试（SAST）工具和人工渗透测试已难以应对复杂的多步骤逻辑漏洞。为此，Aikido 推出了 **Code Audit** 以弥补这一空白。与基于模式的扫描器不同，Code Audit 使用代理推理（agentic reasoning）来分析静态代码库。它能够跨文件和模块追踪逻辑，从而揭示深层问题（如多步骤 IDOR 链或仅限管理员访问的路由漏洞），且无需实时环境或有效凭据。这使得开发人员能够以极低的阻力测试以往难以覆盖的目标，例如移动应用、智能合约和遗留系统。 Code Audit 专为在重大发布前使用而设计，可提供根本原因分析和即时的自动修复拉取请求（AutoFix PR），使开发人员能在掌握完整上下文的情况下修复漏洞。内部基准测试显示，Code Audit 能够以极低的成本捕捉到全面渗透测试中 70% 至 80% 的漏洞。通过将发现环节前置到生产准备阶段，Aikido 助力团队在缺陷被攻击者利用之前就确保了应用程序的安全。

Hacker News 最新 | 往日 | 评论 | 提问 | 展示 | 招聘 | 提交登录 Aikido 代码审计 (aikido.dev) 10 分，ilreb 发布于 1 小时前 | 隐藏 | 往日 | 收藏 | 3 条评论帮助 shireboy 5 分钟前 | 下一条 [-] 我们一直在使用 Aikido 的代码扫描和渗透测试工具，印象非常深刻。得去看看这个。回复 Shanyao 7 分钟前 | 上一条 | 下一条 [-] 看起来是静态应用程序安全测试 (SAST) 和人工审查之间一座稳固的桥梁。我会去了解一下。回复 _def 35 分钟前 | 上一条 [-] 这被作为防御性工具进行营销，但你如何证明它是针对“你”的源代码进行检查的呢？回复指导原则 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系搜索：

原文

TL;DR: Aikido Code Audit fills the gap between SAST and pentesting by reasoning through your static codebases to surface multi-step, intent-dependent vulnerabilities before they ship.

Last week Anthropic released Claude Fable 5, a public version of their Mythos-class model, which was able to discover and chain zero-day exploits. Fable 5 ships with guardrails that block cybersecurity queries and fall back to a more limited model, so the public version doesn't run those attacks for you.

At least that was the idea.

But it appears 1 or more organizations have successfully jail-broken Fable 5, causing Anthropic to withdraw the model under pressure from the US government. The thing is, you can't put the genie back in the bottle. Whether through jail breaks or open source, attacker will gain access to increasingly capable models.

The direction is set. The skill and time it took to find and chain flaws across a application is collapsing into something an agent does without hours or days of human effort. This is particularly true for logic-based flaws not covered by existing static code analysis engines. These classes of flaws don't follow predictable patterns, so static analysis has nothing to match against.

But defenders can stay ahead using the same agentic models by analyzing and catching security flaws in their codebases before they make it to production. And that's why we built Aikido Code Audit.‍‍

What Code Audit actually does

Code Audit is not a replacement for your SAST engine, which is great at finding rules-based security vulnerabilities as you develop. It's also not a replacement for pentests. It sits between the two, working on your static code, with pentest-grade reasoning.

Reach for Code Audit before a significant release or after a major feature lands. It follows references across files and modules. It surfaces multi-step issues where no single line is the vulnerability. Each finding comes back with root cause, code-based evidence, and an AutoFix that lets you instantly generate a PR to resolve the issue.

In practice, this looks like:

A multi-step IDOR chain across three files that a pattern-based scanner would never connect, because no individual line triggers a rule. Code Audit traces the reference, follows the missing authorization check in context, and surfaces the full exploit path.

The same concept applies to other logic based vulnerabilities like a ReDoS pattern identified from source without live exploitation, or an admin-only route that's never been exercised by a live pentest because no one had valid credentials. I'm sure you can think of other examples.

Because Code Audit works on your source code, you don't need an active staging environment or to create auth credentials. Just connect your codebase and start an audit. If the code exists in source, it's in scope: multiple repos, feature-flagged paths, undeployed changes, and admin routes that live tests can't safely touch.

It's not limited to your web app

Code Audit reasons through static source rather than probing a live environment, it isn't constrained by SAST rule coverage or by which platform your code runs on.

That means you can test:

Mobile apps, where there's no URL to access and no easy way to exercise code paths against a live build.
Smart contracts, where you actively don't want to run exploit attempts against a deployed contract with real value locked in it.
Legacy codebases in languages with thin SAST coverage.

Benchmarking

Based on our internal testing and early users, Code Audit covers roughly 70-80% of what a full pentest engagement surfaces, at around 10x lower cost. Early users have found ~25 security issues per codebase (median), with 0 audits coming back clean.

‍
But the number of issues found is secondary to the timing. Finding a vulnerability before release only costs a code change while the developer is still context-aware. Finding it after it reaches production, likely costs a remediation cycle and pulling a developer from another project to fix it. Code Audit moves discovery to the moment before the code ships, when the developer who worked on it still has full context and the fix is straightforward.

How to get started

From your Aikido account, select Code Audit from the menu and click Create Audit. From there you select 1 or more repositories and Aikido estimates the cost in credits. Add credits to your account and start the audit. It only takes a few minutes to set up and audits take as little as 5 minutes, based on your codebase size and complexity.
‍
‍Run your first Code Audit.