ShipSafe is an AI-powered security scanner that finds vulnerabilities in code built with tools like Cursor, Lovable, Bolt, and v0. Paste a GitHub URL and get a plain-English security report in minutes.

How does ShipSafe work?

ShipSafe analyzes your GitHub repository using 30+ security checks including SQL injection, XSS, leaked API keys, and OWASP Top 10 vulnerabilities. It produces a plain-English report with fix recommendations.

Yes, ShipSafe offers a free plan that includes security scans with no credit card required. Paid plans start at $9/month for CLI access with unlimited scans.

What vulnerabilities does ShipSafe detect?

ShipSafe detects SQL injection, cross-site scripting (XSS), leaked secrets and API keys, insecure authentication, CSRF vulnerabilities, and more across the OWASP Top 10 categories.

Does ShipSafe work with vibe-coded apps?

Yes, ShipSafe is specifically designed for apps built with AI coding tools like Cursor, Lovable, Bolt, v0, and Replit. These tools can introduce security vulnerabilities that ShipSafe catches before deployment.

Platform Security

Security Scanner for Bolt.new Apps

Bolt.new ships full-stack apps in seconds. But unauthenticated API routes and exposed secrets mean your app could be compromised in seconds too. ShipSafe finds what Bolt's AI missed.

Scan Your Bolt.new Project View Pricing

The Security Cost of Instant Full-Stack Apps

Bolt.new is impressive. You describe what you want, and it generates a complete application with frontend, backend, and database in one shot. The problem is that the AI skips the boring but critical security plumbing that separates a demo from a production app.

Every API route Bolt creates is a potential entry point for attackers. Without auth checks, anyone can call them. Without input validation, malicious payloads flow straight through. And because Bolt uses Vite, any secret prefixed with VITE_ ends up in your users' browsers.

We've documented the specific patterns in our Bolt.new security guide and the vulnerabilities by platform reference.

Common Vulnerabilities in Bolt.new Projects

These patterns appear in the vast majority of Bolt.new-generated applications we analyze.

Critical

Unauthenticated API Routes

Bolt.new generates API endpoints that handle data mutations (create, update, delete) without verifying that the caller is logged in. Anyone who discovers the route can call it directly with curl or Postman, bypassing your entire frontend. This is especially dangerous for admin operations and payment workflows.

Critical

Secrets in VITE_ Environment Variables

Bolt.new uses Vite as its build tool, and any env var prefixed with VITE_ gets bundled into the frontend JavaScript. The AI frequently puts API keys, database URLs, and webhook secrets behind VITE_ prefixes, making them visible to anyone who opens browser DevTools.

High

Missing Input Validation

Bolt-generated endpoints typically trust all incoming data. There is no schema validation, no type checking, and no sanitization. Malformed payloads, oversized inputs, and injection attempts pass straight through to your database or downstream services.

High

No CSRF Protection

Bolt.new does not generate CSRF tokens or SameSite cookie configurations. State-changing requests can be triggered from any website by embedding a hidden form or making a fetch request, letting attackers perform actions on behalf of logged-in users.

How ShipSafe Secures Your Bolt.new App

Connect Your Bolt.new Project

Link your GitHub repo or paste your source code. ShipSafe recognizes Bolt.new's Vite-based project structure and understands how it handles routing and env vars.

Full-Stack Security Analysis

ShipSafe scans both frontend and backend code. It maps every API route, checks for auth middleware, validates env var scoping, and tests for CSRF and input validation gaps.

Prioritized Fix Guide

Receive a severity-ranked report with concrete code examples showing exactly what to change. Copy-paste the fixes directly into your Bolt.new project.

Frequently Asked Questions

Is Bolt.new code secure?

Not by default. Bolt.new focuses on generating functional full-stack apps quickly, and security is consistently deprioritized. In our analysis, the most common issues are API routes without any authentication check, secrets exposed in the client bundle through VITE_ env vars, and a complete absence of input validation. These are not theoretical risks. They are present in the majority of Bolt.new projects we scan.

What security issues does Bolt.new create?

The four most frequent vulnerabilities are: (1) API routes that accept requests without verifying authentication, (2) sensitive secrets placed in VITE_ prefixed environment variables that get bundled into frontend code, (3) missing input validation on form submissions and API payloads, and (4) no CSRF protection on state-changing endpoints. ShipSafe detects all of these automatically.

How do I secure my Bolt.new app?

Start by running a ShipSafe scan to identify all vulnerabilities. Then address them in priority order: add authentication middleware to every API route, move secrets to server-only env vars (remove the VITE_ prefix), add input validation using a library like Zod, and implement CSRF protection. ShipSafe provides the exact code changes needed for each fix.

Does ShipSafe work with Bolt.new projects?

Yes. ShipSafe is specifically tuned to understand Bolt.new's project structure, including its Vite configuration, API route patterns, and environment variable handling. Connect your GitHub repo or paste your code to get started. The scanner will identify issues specific to how Bolt.new generates code.

Don't Deploy Bolt.new Without a Security Scan

Four out of five Bolt.new projects we scan have at least one critical vulnerability. Find yours before someone else does.

Start Free Scan

No credit card required. See all plans