Skip to content

Aikido Setup in 10 Minutes

Connect GitHub, scan first repository, and configure alerts. From signup to first risk report.

9 min · Beginner · 2 of 2

TL;DR

Sign up → connect GitHub → authorize repositories → Aikido scans → panel shows issues in 5 minutes. Free plan covers up to 10 repos. Works for Lovable project, internal app, any code.

Captura de tela
Aikido main panel with issues organized by severity
aikido.dev
1
Critical
2
High / Medium
3
Low / Info
4
Issue list
5
AutoTriage
Abrir ↗
  1. 1 Critical — mandatory fix today — real exploitable risk
  2. 2 High / Medium — plan for this week / next sprint
  3. 3 Low / Info — hygiene, no urgency
  4. 4 Issue list — each item has file, line, suggested fix, CVE
  5. 5 AutoTriage — AI filters false positives before you see them
Panel after the first scan. Issues organized by severity — always start with Critical. · fonte: aikido.dev

Why do this NOW

Each project you create with Lovable, each repository your team pushes, is an attack surface. Without a dedicated tool:

  • Libraries with known flaws stay invisible
  • Forgotten API key in old commits stays alive
  • Open cloud configuration goes unnoticed
  • New vulnerability appears in your dependency, no one warns you

Aikido solves with one free subscription what would cost 5 separate paid tools.

Prerequisites

  1. GitHub account (or GitLab/Bitbucket) with at least 1 repository
  2. 5 minutes without interruption
  3. Corporate email account (optional, for alerts)

Step by step

1 · Sign up for Aikido

  1. Go to aikido.devStart free
  2. Use Google or Microsoft login (faster)
  3. Confirm email if prompted
  4. On first access, fill in: company name, team (size), your role

Aikido takes you to the initial panel with 1 prominent button: Connect your code.

2 · Connect GitHub (or other Git)

  1. Click Connect next to GitHub
  2. Window opens: GitHub OAuth → authorize
  3. Choose:
    • All repositories (recommended if it’s your personal org)
    • Selected repositories (recommended for company with many repos)
  4. Select at least 1 repo (ideally the Lovable project or main app)
  5. Confirm

Aikido starts scanning automatically. Takes 3-5 minutes per repo.

3 · Wait for the first report

While it runs, you can:

  • Add more team members (Settings → Team → Invite)
  • Connect Slack for alerts (Integrations → Slack)
  • Add cloud account (Integrations → AWS / GCP / Azure)

4 · Read the first panel

When it finishes, the panel shows issue cards by severity:

CRITICAL: 2    HIGH: 7    MEDIUM: 15    LOW: 31

Start with Critical and High. Ignore Medium/Low on the first pass.

Each issue has:

  • Title — what it is
  • File + line — where it is
  • Explanation — why it’s a problem
  • Suggested fix — how to resolve (usually version upgrade or function swap)
  • CVE reference — link to public vulnerability

5 · Resolve 1 Critical issue today

Pick the first Critical. Usually it’s one of these:

  • Vulnerable dependency: you’re using lib xyz@1.2.3 which has known RCE. Fix: npm install xyz@1.2.8 (patched version).
  • Secret exposed in old commit: API key still in Git logs. Fix: rotate the key immediately (the key remains valid even if you delete the commit).
  • SQL injection in endpoint: query using concatenation. Fix: parameterize.

Aikido suggests the exact fix. If you use Claude Code:

“Apply the suggested fix for this Aikido issue.”

In 2 minutes the PR is ready.

6 · Configure smart alerts

Go to Settings → Notifications:

  1. Email: enable for Critical and High
  2. Slack: connect your workspace → choose #security channel (creates if missing)
  3. AutoTriage: keep on (filters false positives before reaching you)

From now on, you only get pinged when it matters.

7 · Connect cloud (if you have one)

If you use AWS, GCP or Azure:

  1. Integrations → AWS (or another)
  2. Follow the step-by-step to create read-only IAM role
  3. Aikido scans: public S3 buckets, open security groups, excessive IAM, etc.

For Lovable project (which uses Supabase under the hood):

  • Connect Supabase in Integrations
  • Aikido will check RLS, exposed tables, weak policies

What to expect in the first 30 days

WeekActivity
1Initial scan, discovery of the first 10-30 issues
2Resolve Criticals, configure AutoTriage, adjust rules
3Connect cloud + container scanning
4Steady state: 0-2 Criticals in queue, alerts only when relevant

A small company typically exits month 1 with security posture 10x better than before.

Pitfalls

  • Rotate, don’t delete. If Aikido finds an API key in an old commit, just deleting the commit doesn’t solve it — the key remains valid in history. Rotate at the original tool (Stripe, OpenAI, etc) first.
  • Don’t ignore by habit. Becomes a giant queue no one opens. Make a rule: every Critical becomes a card in Linear/Jira within 24h.
  • DAST in production causes load. Scanning live app can trigger monitoring alarms. Configure low-demand window.
  • Compliance isn’t just Aikido. For LGPD, PCI, HIPAA — human audit is still required. Aikido reduces noise, doesn’t replace auditor.
  • AutoTriage isn’t perfect. Periodically review what it suppressed. Can miscalibrate.

What the free plan covers

Honestly, plenty to start:

  • 10 repositories
  • SAST + SCA + secrets on all of them
  • 1 cloud account
  • Unlimited container scanning
  • Email + Slack alerts
  • AutoTriage with AI

When you exceed (10+ repos, larger team, compliance): paid plans start at US$ 350/month.

For a specific Lovable project

Ideal coverage:

Lovable project
├── Code (syncs with GitHub) → Aikido SAST + SCA + Secrets ✓
├── Supabase backend → Aikido CSPM + database scan ✓
├── Vercel deploy → Aikido DAST against public URL ✓
└── Custom domain → Aikido SSL/headers scan ✓

3 integrations in Aikido = 360° coverage.

Next step

You finished the full foundation track. Next paths:

Or contribute: content is on GitHub.

Entrega da lição
12 min

Tarefa

Create an Aikido account (Free). Connect 1 of your repositories via GitHub/GitLab. Wait for the first scan to finish. Take a screenshot of the first issue found (Critical/High if any, or Medium).

Como saber que entregou

Screenshot shows Aikido panel with issue list — at least 1 issue visible with severity indicated (Critical/High/Medium/Low) and the affected file name.

Auto-validável · você sabe se entregou
Compartilhar resultado ↗
Fontes oficiais