ShipSafe is a security scanner built specifically for AI-generated code. It scans your actual GitHub repository — not just a URL — using 30+ security checks to find vulnerabilities that AI coding tools like Cursor, Lovable, Bolt, v0, and Replit commonly introduce. Paste a GitHub URL and get a plain-English security report in under 2 minutes.

How does ShipSafe work?

ShipSafe clones your GitHub repository and performs deep static analysis including authentication flow analysis, authorization boundary checking, secret detection, and OWASP Top 10 vulnerability scanning. Unlike URL-based scanners that only check surface-level issues, ShipSafe reads your actual codebase to find logic-level bugs like inverted auth conditions and missing ownership checks.

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $12/month for CLI access with unlimited scans and CI/CD integration via GitHub Actions.

What vulnerabilities does ShipSafe detect?

ShipSafe detects IDOR (Insecure Direct Object References), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets, SQL injection, cross-site scripting (XSS), CSRF vulnerabilities, missing rate limiting, and more across the OWASP Top 10 categories. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

How is ShipSafe different from other security scanners?

ShipSafe scans your actual GitHub repository source code, not just a deployed URL. It uses AI to understand authentication flows and authorization logic — catching bugs like inverted auth conditions that regex-based scanners miss. It's specifically tuned for patterns that AI coding tools like Cursor, Lovable, and Bolt commonly generate.

Is Replit Agent safe for production apps?

Replit Agent can scaffold full apps quickly, but the code it generates commonly lacks authentication middleware, hardcodes secrets in source files, and leaves debug endpoints exposed. You should always review and scan Agent-generated code before deploying to production.

What security vulnerabilities does Replit Agent create?

The most common issues are: missing authentication middleware on routes, hardcoded API keys and database credentials, exposed debug and health check endpoints with sensitive data, and permissive CORS configurations that allow any origin.

How do I secure a Replit Agent app before deploying?

Add authentication middleware to all protected routes, move all secrets to environment variables, remove or protect debug endpoints, lock down CORS to specific origins, and run an automated security scanner like ShipSafe to catch anything you missed.

ReplitSecurityGuide

Replit Agent Security Guide: What It Misses and How to Fix It

Replit Agent builds and deploys full apps in minutes. But it consistently skips auth middleware, hardcodes secrets, and leaves debug endpoints live. Here's the complete fix guide.

March 28, 20268 min read

Replit Agent is one of the most ambitious AI coding tools available. Tell it what you want, and it builds, configures, and deploys a complete app — frontend, backend, database, and hosting — all inside Replit. For speed-to-deploy, nothing else comes close.

But that speed comes with a tradeoff. Replit Agent optimizes for getting your app running, not for keeping it secure. The patterns it generates work in development but create real attack surfaces in production. We scanned Agent-built projects with ShipSafe and found five recurring security gaps.

Want to check your own app?

Paste your GitHub URL and get a security report in under 2 minutes. Free scan, no credit card required.

Scan My App Free

1. Missing Authentication Middleware

Replit Agent builds Express or Fastify backends with routes that handle data operations, but it often skips adding auth middleware. Your login page might exist and work, but the API routes behind it are open to anyone who sends a direct request.

The fix is straightforward: add an authentication middleware function that verifies the session or JWT token, then apply it to every route that handles user data. In Express this looks like wrapping your protected routes with a requireAuth middleware.

// ✅ Add auth middleware to protected routes

function requireAuth(req, res, next) {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ error: "No token" });
  try {
    req.user = jwt.verify(token, process.env.JWT_SECRET);
    next();
  } catch {
    return res.status(401).json({ error: "Invalid token" });
  }
}

// Apply to all /api routes
app.use("/api", requireAuth);

2. Hardcoded Secrets in Source Code

Replit Agent frequently places API keys, database connection strings, and JWT secrets directly in source files. While Replit has a Secrets panel for environment variables, the Agent does not always use it. If your code is connected to GitHub, those secrets are now in your repository history — even if you delete them later.

Move every secret to environment variables. Use Replit's Secrets tab or a .env file (added to .gitignore). Then search your codebase for any string that looks like a key or connection string and replace it with process.env.YOUR_KEY.

3. Debug Endpoints Left Live

Replit Agent often creates health check and debug routes during development — /debug, /health, /api/test — that return internal state like database connection info, environment variable names, or server configuration. These are helpful during development but dangerous in production.

Remove debug routes entirely before deploying, or gate them behind an admin-only authentication check. Never expose server internals on any public endpoint.

4. Permissive CORS Configuration

To get things working quickly, Replit Agent often sets CORS to accept all origins: cors({ origin: '*' }). This means any website can make authenticated requests to your API if the user has an active session. Lock your CORS configuration to only allow your own frontend domain.

5. No Input Sanitization on Database Queries

Replit Agent sometimes constructs database queries using string interpolation with user input, which opens the door to SQL injection. Always use parameterized queries or an ORM that handles escaping automatically.

// ❌ String interpolation — SQL injection risk

const result = await db.query(
  `SELECT * FROM users WHERE id = ${req.params.id}`
);

// ✅ Parameterized query — safe

const result = await db.query(
  "SELECT * FROM users WHERE id = $1",
  [req.params.id]
);

Ship Fast, but Scan First

Replit Agent is powerful and only getting better. But until AI coding tools are trained to prioritize security alongside functionality, you need a safety net. ShipSafe scans your entire repository and flags these exact issues with plain-English explanations and copy-paste fixes.

Try it free at ship-safe.co.

Want to check your own app?

Paste your GitHub URL and get a security report in under 2 minutes. Free scan, no credit card required.

Scan My App Free