How to Integrate Lovable with Aikido

Start by navigating to your workspace settings. In the Lovable editor, click the settings gear icon in the top-right corner of the screen — this opens your workspace settings panel. From there, look for the 'Connectors' section in the left-hand sidebar. Click it to expand the connectors view, then click 'Shared connectors'. This is the hub for all 17 of Lovable's native runtime connectors, including Aikido. You'll see a grid of available connectors. Shared connectors are workspace-level, meaning once you connect Aikido here, every project you build in this workspace can use it — you won't need to repeat this setup per project. Scroll through the list until you find the Aikido card. It will show the Aikido logo and a short description of its capabilities. If a connector is already active, it will show a green 'Connected' badge; if not, it will show a 'Connect' button. At this stage, Aikido should show as not yet connected.

Click the 'Connect' button on the Aikido card. Lovable will open a connection dialog that either redirects you to an OAuth flow on aikido.dev, or asks you to paste in an API key — depending on how Aikido's connector is configured. For OAuth: a browser tab will open to aikido.dev. Log in to your Aikido account if you aren't already, then click 'Authorize' to grant Lovable read/write access to your Aikido workspace. The tab will close automatically and Lovable will show a success confirmation. For API key flow: navigate to your Aikido workspace settings at app.aikido.dev, find the API section, generate a new API key, copy it, then paste it into the Lovable connection dialog and click 'Save'. Critically, you should never paste your Aikido API key directly into the Lovable chat prompt. On free-tier Lovable workspaces, chat history is visible to Lovable's team, and pasted keys can be recovered from commit history. The connection dialog in Settings → Connectors uses Lovable's encrypted Secrets storage (the same Cloud → Secrets mechanism), so your Aikido credentials are isolated in the server-only red zone and never appear in your project's frontend code. Once connected, the Aikido card will update to show a green 'Connected' badge.

With Aikido connected, return to your project in the Lovable editor. Open the chat panel in the bottom-left and describe what you want Aikido to scan. You don't need to know Aikido's internal API structure — just describe the goal in plain English and Lovable's AI will use the connector context to build the right request. A good first scan is a general vulnerability audit of your entire application. Tell Lovable the URL of your deployed app (or the Lovable preview URL) and ask it to run a scan. Aikido will queue the scan on its servers and return findings asynchronously — depending on app complexity, this typically takes between 30 seconds and a few minutes. Lovable will surface the results in the chat panel once they arrive, formatted as a readable summary rather than a raw JSON payload. Each finding will include a severity rating (Critical, High, Medium, Low, or Info), a plain-language description of the vulnerability, the specific location in your code or configuration that triggered it, and a suggested remediation. For apps with sensitive user data or any payment flows, run both a general OWASP scan and a dependency audit to catch vulnerable npm packages. Aikido's dependency scanning checks every package in your package.json against the NVD (National Vulnerability Database), so you'll know immediately if a dependency has a known CVE.

Once you have scan results in the chat, you can ask Lovable's AI to fix issues directly — this is where the native connector advantage really shows. Because Lovable has Aikido connector context, it understands the scan output format and can map specific findings back to the right places in your codebase without you having to copy-paste error messages or explain what each finding means. For each Critical or High finding, ask Lovable to fix it. For example, if Aikido flags a missing Content-Security-Policy header, Lovable knows that fix lives in your Edge Function response headers or your index.html meta tags — it will locate the right file, apply the fix, and explain what was changed. If Aikido finds a vulnerable npm dependency, Lovable will update package.json, run the dependency resolution, and verify the updated version resolves the CVE. For RLS policy gaps flagged by Aikido (which can overlap with Lovable's built-in Security Scan), Lovable will generate the correct Supabase RLS policy SQL and explain what access it restricts. After applying fixes, re-run the Aikido scan to verify the issues are resolved. This confirm-fix-confirm loop is the most efficient way to work through a vulnerability report and is standard practice in professional security engineering. Most Lovable apps can get from 'initial scan' to 'all Critical and High issues resolved' in a single focused session.

A one-time scan is valuable, but the real benefit of Aikido is continuous monitoring — catching new vulnerabilities that emerge as you add features, change dependencies, or as new CVEs are discovered against packages you already use. Use Lovable to configure Aikido's automated scan schedule so your app is regularly checked without you having to remember to trigger it manually. In the Lovable chat, ask for a recurring scan configuration. Aikido supports scheduled scans (daily, weekly, or on every deployment) and can send alerts via email or Slack when new findings appear. If your workspace has the Slack connector active alongside Aikido, Lovable can wire up a notification workflow so your team receives a Slack message whenever a new High or Critical vulnerability is detected. This is particularly useful for founders who aren't logging into Lovable every day but still want to know if their live app develops a security gap. For teams building toward SOC 2 compliance (a common requirement when selling to enterprise customers), Aikido's audit trail — the history of scans, findings, and resolutions — serves as documented evidence that you perform regular security testing. Lovable's own SOC 2 Type II certification covers the platform itself; Aikido's continuous scanning covers your application layer. Together, they give you the security posture documentation that enterprise procurement teams look for.