@aikidosec/mcp
Aikido MCP Server
A lightweight Model Context Protocol (MCP) server that exposes Aikido’s Code and Secrets Scan as a tool for AI coding agents and IDEs. It lets your agent scan code and returns machine-readable findings you can triage, fix or ignore.
Prerequisites
- Node.js 18.19.0 or newer
- An Aikido account (sign up)
Authentication
The MCP authenticates in one of two ways. You don’t need to pick up front — just add the server to your IDE (see below) and run any Aikido tool.
Browser sign-in (recommended)
If no token is configured, the first tool call returns a one-time set of sign-in links — one per Aikido region (EU / US / ME). Click the link that matches your account.
Environment variable (CI / headless)
For CI, containers, or any setup where opening a browser/using keychain isn’t an option, generate a Personal Access Token in Settings → Integrations → MCP Server and pass it as AIKIDO_API_KEY — either in your MCP config’s env block (examples below) or as a system env var. When set, AIKIDO_API_KEY takes precedence over the cached browser token.
Add to your IDE or agent
Below are example configurations. They use the browser sign-in flow. To use AIKIDO_API_KEY instead, add an env block to any of them — see Using AIKIDO_API_KEY.
Cursor
Go to Settings > Cursor Settings > MCP & Integrations > New MCP server
Add the following configuration to your Cursor ~/.cursor/mcp.json file. See Cursor MCP docs for more info.
{
"mcpServers": {
"aikido": {
"command": "npx",
"args": ["-y", "@aikidosec/mcp"]
}
}
}Windsurf
Add the following config to ~/.codeium/windsurf/mcp_config.json. See Windsurf MCP docs for more info.
{
"mcpServers": {
"aikido": {
"command": "npx",
"args": ["-y", "@aikidosec/mcp"]
}
}
}VS Code
Open the VS Code Command Palette by using Ctrl+⇧Shift+P or ⌘Command+⇧Shift+P (macOS). Type MCP: Open User Configuration.
Add the following config to the MCP config file. See VS Code MCP docs for more info.
{
"servers": {
"aikido": {
"command": "npx",
"args": ["-y", "@aikidosec/mcp"]
}
}
}Using AIKIDO_API_KEY
To use a pre-generated token instead of the browser sign-in flow, add an env block to any of the configs above:
{
"mcpServers": {
"aikido": {
"command": "npx",
"args": ["-y", "@aikidosec/mcp"],
"env": {
"AIKIDO_API_KEY": "your-api-key-here"
}
}
}
}