Aikido Setup in 10 Minutes
Connect GitHub, scan first repository, and configure alerts. From signup to first risk report.
TL;DR
Sign up → connect GitHub → authorize repositories → Aikido scans → panel shows issues in 5 minutes. Free plan covers up to 10 repos. Works for Lovable project, internal app, any code.
- 1 Critical — mandatory fix today — real exploitable risk
- 2 High / Medium — plan for this week / next sprint
- 3 Low / Info — hygiene, no urgency
- 4 Issue list — each item has file, line, suggested fix, CVE
- 5 AutoTriage — AI filters false positives before you see them
Why do this NOW
Each project you create with Lovable, each repository your team pushes, is an attack surface. Without a dedicated tool:
- Libraries with known flaws stay invisible
- Forgotten API key in old commits stays alive
- Open cloud configuration goes unnoticed
- New vulnerability appears in your dependency, no one warns you
Aikido solves with one free subscription what would cost 5 separate paid tools.
Prerequisites
- GitHub account (or GitLab/Bitbucket) with at least 1 repository
- 5 minutes without interruption
- Corporate email account (optional, for alerts)
Step by step
1 · Sign up for Aikido
- Go to aikido.dev → Start free
- Use Google or Microsoft login (faster)
- Confirm email if prompted
- On first access, fill in: company name, team (size), your role
Aikido takes you to the initial panel with 1 prominent button: Connect your code.
2 · Connect GitHub (or other Git)
- Click Connect next to GitHub
- Window opens: GitHub OAuth → authorize
- Choose:
- All repositories (recommended if it’s your personal org)
- Selected repositories (recommended for company with many repos)
- Select at least 1 repo (ideally the Lovable project or main app)
- Confirm
Aikido starts scanning automatically. Takes 3-5 minutes per repo.
3 · Wait for the first report
While it runs, you can:
- Add more team members (Settings → Team → Invite)
- Connect Slack for alerts (Integrations → Slack)
- Add cloud account (Integrations → AWS / GCP / Azure)
4 · Read the first panel
When it finishes, the panel shows issue cards by severity:
CRITICAL: 2 HIGH: 7 MEDIUM: 15 LOW: 31
Start with Critical and High. Ignore Medium/Low on the first pass.
Each issue has:
- Title — what it is
- File + line — where it is
- Explanation — why it’s a problem
- Suggested fix — how to resolve (usually version upgrade or function swap)
- CVE reference — link to public vulnerability
5 · Resolve 1 Critical issue today
Pick the first Critical. Usually it’s one of these:
- Vulnerable dependency: you’re using lib
xyz@1.2.3which has known RCE. Fix:npm install xyz@1.2.8(patched version). - Secret exposed in old commit: API key still in Git logs. Fix: rotate the key immediately (the key remains valid even if you delete the commit).
- SQL injection in endpoint: query using concatenation. Fix: parameterize.
Aikido suggests the exact fix. If you use Claude Code:
“Apply the suggested fix for this Aikido issue.”
In 2 minutes the PR is ready.
6 · Configure smart alerts
Go to Settings → Notifications:
- Email: enable for Critical and High
- Slack: connect your workspace → choose
#securitychannel (creates if missing) - AutoTriage: keep on (filters false positives before reaching you)
From now on, you only get pinged when it matters.
7 · Connect cloud (if you have one)
If you use AWS, GCP or Azure:
- Integrations → AWS (or another)
- Follow the step-by-step to create read-only IAM role
- Aikido scans: public S3 buckets, open security groups, excessive IAM, etc.
For Lovable project (which uses Supabase under the hood):
- Connect Supabase in Integrations
- Aikido will check RLS, exposed tables, weak policies
What to expect in the first 30 days
| Week | Activity |
|---|---|
| 1 | Initial scan, discovery of the first 10-30 issues |
| 2 | Resolve Criticals, configure AutoTriage, adjust rules |
| 3 | Connect cloud + container scanning |
| 4 | Steady state: 0-2 Criticals in queue, alerts only when relevant |
A small company typically exits month 1 with security posture 10x better than before.
Pitfalls
- Rotate, don’t delete. If Aikido finds an API key in an old commit, just deleting the commit doesn’t solve it — the key remains valid in history. Rotate at the original tool (Stripe, OpenAI, etc) first.
- Don’t ignore by habit. Becomes a giant queue no one opens. Make a rule: every Critical becomes a card in Linear/Jira within 24h.
- DAST in production causes load. Scanning live app can trigger monitoring alarms. Configure low-demand window.
- Compliance isn’t just Aikido. For LGPD, PCI, HIPAA — human audit is still required. Aikido reduces noise, doesn’t replace auditor.
- AutoTriage isn’t perfect. Periodically review what it suppressed. Can miscalibrate.
What the free plan covers
Honestly, plenty to start:
- 10 repositories
- SAST + SCA + secrets on all of them
- 1 cloud account
- Unlimited container scanning
- Email + Slack alerts
- AutoTriage with AI
When you exceed (10+ repos, larger team, compliance): paid plans start at US$ 350/month.
For a specific Lovable project
Ideal coverage:
Lovable project
├── Code (syncs with GitHub) → Aikido SAST + SCA + Secrets ✓
├── Supabase backend → Aikido CSPM + database scan ✓
├── Vercel deploy → Aikido DAST against public URL ✓
└── Custom domain → Aikido SSL/headers scan ✓
3 integrations in Aikido = 360° coverage.
Next step
You finished the full foundation track. Next paths:
- Practical spreadsheet analysis — real application
- Advanced prompt engineering — techniques that double quality
- Build your first Skill — automate repetitive work
Or contribute: content is on GitHub.
Tarefa
Create an Aikido account (Free). Connect 1 of your repositories via GitHub/GitLab. Wait for the first scan to finish. Take a screenshot of the first issue found (Critical/High if any, or Medium).
Screenshot shows Aikido panel with issue list — at least 1 issue visible with severity indicated (Critical/High/Medium/Low) and the affected file name.