ShipSafe is an AI-powered security scanner that finds vulnerabilities in code built with tools like Cursor, Lovable, Bolt, and v0. Paste a GitHub URL and get a plain-English security report in minutes.

How does ShipSafe work?

ShipSafe analyzes your GitHub repository using 30+ security checks including SQL injection, XSS, leaked API keys, and OWASP Top 10 vulnerabilities. It produces a plain-English report with fix recommendations.

Yes, ShipSafe offers a free plan that includes security scans with no credit card required. Paid plans start at $9/month for CLI access with unlimited scans.

What vulnerabilities does ShipSafe detect?

ShipSafe detects SQL injection, cross-site scripting (XSS), leaked secrets and API keys, insecure authentication, CSRF vulnerabilities, and more across the OWASP Top 10 categories.

Does ShipSafe work with vibe-coded apps?

Yes, ShipSafe is specifically designed for apps built with AI coding tools like Cursor, Lovable, Bolt, v0, and Replit. These tools can introduce security vulnerabilities that ShipSafe catches before deployment.

Platform Security

Security Scanner for Lovable Apps

Lovable builds beautiful Supabase apps fast, but missing RLS policies and exposed service keys can turn your database into an open buffet. ShipSafe catches these issues before attackers do.

Scan Your Lovable Project View Pricing

Why Lovable Apps Need a Security Scan

Lovable is remarkable at turning prompts into full-stack apps with Supabase backends. You get auth, a database, and a polished UI in minutes. But the AI takes shortcuts on the security layer that most developers don't notice until it's too late.

The most dangerous issue is missing Row Level Security. Supabase exposes your database directly to the browser via the anon key by design. RLS policies are the only thing standing between your users and everyone else's data. When Lovable skips them, your database is effectively public.

This isn't theoretical. We've documented the specific patterns in our guide to Lovable security vulnerabilities and in the vulnerabilities by platform reference.

Common Vulnerabilities in Lovable Projects

Lovable + Supabase introduces a unique class of vulnerabilities centered around database access control and key management.

Critical

Missing Row Level Security (RLS) Policies

Lovable creates Supabase tables through SQL migrations but frequently omits the ENABLE ROW LEVEL SECURITY step. Without RLS, the anon key grants full read and write access to every row in your database. Any user who inspects your frontend can extract your Supabase URL and anon key, then query any table directly.

Critical

Service Role Key in Client Code

Lovable sometimes initializes the Supabase client with the service role key instead of the anon key. The service role key bypasses all RLS policies entirely, and when it appears in client-side code, it gets shipped in your JavaScript bundle where anyone can extract it.

High

Direct auth.users Table Queries

Instead of creating a public profiles table, Lovable's AI sometimes queries the auth.users table directly. This requires elevated privileges, exposes sensitive authentication metadata like hashed passwords and email confirmation tokens, and breaks the moment you properly restrict permissions.

High

Exposed Environment Variables

Lovable projects sometimes expose sensitive environment variables to the client bundle by using the VITE_ or NEXT_PUBLIC_ prefix on secrets that should stay server-side. Database connection strings, API keys with write access, and webhook secrets end up in the browser.

How ShipSafe Secures Your Lovable App

Connect Your Lovable Project

Link your GitHub repo or paste your Supabase migration files. ShipSafe understands Lovable's project structure and Supabase configuration.

Deep Supabase Analysis

ShipSafe checks every table for RLS policies, scans client code for service key usage, and verifies that environment variables are properly scoped to server or client.

Fix with Confidence

Get a prioritized report with exact SQL statements for missing RLS policies, code changes to fix key exposure, and migration scripts you can run directly.

Frequently Asked Questions

Does Lovable add Row Level Security?

Sometimes, but not consistently. Lovable's AI generates SQL migrations to create tables and relationships, but it frequently omits the ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement and the corresponding policies. This means your tables may appear to work correctly during development while being completely open to unauthorized access. ShipSafe checks every table in your Supabase project for proper RLS configuration.

Is my Lovable app secure?

Without a security review, you should assume it is not. Lovable prioritizes building functional UIs and connecting them to Supabase quickly. Security features like RLS, proper key management, and input validation are often secondary in the generated code. The app will work, but it may be exposing your users' data. Running a ShipSafe scan takes minutes and will reveal any critical issues.

How do I fix Supabase RLS in Lovable?

First, identify which tables lack RLS by running a ShipSafe scan or checking your Supabase dashboard. Then create a new migration that enables RLS on each table and adds appropriate policies. A basic policy restricts rows so users can only access records where user_id matches auth.uid(). ShipSafe generates these exact SQL statements for you based on your schema.

Can ShipSafe scan Lovable's Supabase setup?

Yes. ShipSafe analyzes your SQL migration files, Supabase client initialization, environment variable usage, and API route security. It understands the Lovable + Supabase stack specifically, so it can detect patterns like missing RLS, service key leaks, and direct auth.users queries that generic scanners miss.

What if I already deployed my Lovable app?

You should scan immediately. If ShipSafe finds missing RLS policies, you can apply the generated migration scripts directly to your live Supabase project through the dashboard SQL editor. For service key exposure, rotate the key in your Supabase project settings after removing it from client code. The sooner you fix these issues, the less exposure your users' data has had.

Secure Your Lovable App Before Launch

Missing RLS is the number one security issue in Lovable projects. Find and fix it in minutes with ShipSafe.

Start Free Scan

No credit card required. See all plans