Skip to main content
The Security center helps teams identify risks, prioritize fixes, and track security coverage across projects at scale.
  • Available on: Business and Enterprise plans
  • Access: Workspace admins and owners
  • Location: Settings → Workspace → Security center
The Security center provides a workspace-wide view of security status across all projects.

What the Security center shows

The Security center is organized into three main sections, each focused on a different aspect of workspace security. It combines code analysis, supply chain security, and secrets management into a single workspace-level view.

Code analysis

Review security findings from automated security scanning across all projects in your workspace. Summary cards provide an at-a-glance view of total projects, projects with findings, and scan coverage.
  • Errors: Critical security issues that require immediate attention
  • Warnings: Important security concerns that should be reviewed
  • Info: Informational findings that provide additional context
  • Scan status: When projects were last scanned, including live scanning indicators
  • Visibility: The project’s publish status, whether it is draft (not published), workspace (published internally to the workspace), or public (published publicly)
You can search, filter, and sort projects by security status, visibility (publish status), scan state, or name to quickly focus on what matters most.

Supply chain security

Monitor dependency vulnerabilities across your entire workspace. Summary cards highlight vulnerability counts by severity and overall scan coverage.
  • Two views: Review vulnerabilities by project or by vulnerability
  • Vulnerabilities by severity: Categorized as critical, high, or medium
  • Affected projects: Which projects use vulnerable dependencies
  • Vulnerable packages: Package names, affected versions, and fixed versions when available
  • CSV export: Export a workspace-wide dependencies list as a CSV file for audits or reporting (available from the projects view in Supply chain security)
You can filter and search vulnerabilities by severity, visibility (publish status), CVE, package name, or vulnerability title.

Secrets overview

View all secrets across every project in your workspace from a single table. The Secrets overview gives admins visibility into what secrets exist and which projects they belong to. For each secret, you’ll see:
  • Secret name: The name of the secret (e.g., “OpenAI API Key”). Secret values are never shown.
  • Associated project: The project the secret belongs to
  • Type: User-created or Lovable-generated
  • Visibility: Publish status of the associated project (public, workspace, or draft)
  • Creation date: When the secret was added
  • Security findings: Project-level security findings and severity
You can search by secret name across all projects and filter by visibility, secret type, and security findings. Each row includes a View button that opens the project’s secrets page, where you can update or remove individual secrets.
Security findings shown alongside secrets are tied to the project, not the individual secret.

Why use the Security center

The Security center helps teams stay on top of security issues by making risks visible, comparable, and actionable across projects.
  • Centralized oversight
    Review security findings across your entire workspace without opening projects individually.
  • Clear prioritization
    Focus on projects with critical errors, high-severity vulnerabilities, or outdated scans.
  • Visibility into scan coverage
    See which projects are up to date and which may need security reviews.
  • Dependency risk awareness
    Understand how vulnerable dependencies affect multiple projects and coordinate updates efficiently.
  • Secrets visibility
    See every secret across your workspace in one place, identify stale credentials, and manage secrets from a centralized view.

Running security scans

In addition to viewing results, you can trigger security scans from the Code analysis tab without opening individual projects.
  • Run scans centrally: Start a security scan for any project from the Code analysis tab
  • Last scan timestamps: See when each project was last scanned so you can identify outdated results at a glance
  • Risky project identification: Spot projects that are public or recently changed but have outdated or missing scan results
  • Never-scanned detection: Flag public projects that have never been scanned, catching cases where the scanning process may have been skipped entirely
This is especially useful for maintaining consistent scan coverage across a large number of projects without having to visit each one individually.

Common use cases

The Security center supports both routine reviews and time-sensitive security work, including:
  • Release readiness and audits
    Confirm projects meet security standards before shipping or compliance reviews.
  • Project onboarding and handoffs
    Ensure inherited or transferred projects have been scanned and don’t introduce security risks.
  • Critical vulnerability response
    Quickly identify affected projects when new dependency issues are announced.
  • Secret auditing
    Search for a specific API key by name and see every project that uses it, making it easy to audit usage or coordinate key rotation.
  • Stale secret cleanup
    Sort secrets by creation date to find old credentials tied to unused projects, and remove them to reduce unnecessary exposure.
  • Ongoing monitoring
    Regularly review findings and address new issues as part of a weekly or monthly cadence.

Best practices for using the Security center

The Security center is designed for ongoing review rather than a fixed workflow. The following best practices reflect how teams commonly use it.
  • Start with the workspace overview
    Review overall security status to understand how many projects have errors, warnings, or outdated scans.
  • Prioritize projects that need attention
    Use filters to focus on projects with critical errors, high-severity vulnerabilities, or recent warnings.
  • Check scan freshness
    Identify projects that haven’t been scanned recently and may need updated security reviews.
  • Review dependency vulnerabilities
    Inspect vulnerable packages by severity to see which issues affect multiple projects and require coordinated updates.
  • Take action within individual projects
    Use the View action on a project to open its security details, run new scans, update dependencies, and resolve findings in the Project security view.

FAQ

Workspace admins and owners on Business and Enterprise plans can access the Security center at Settings → Workspace → Security center.
No. It displays the most recent scan results for each project. You can run a security scan for any project directly from the Security center, or run one from within the project itself.
  • Errors are critical security issues that should be resolved before publishing.
  • Warnings are important concerns that may not be critical but should be reviewed.
  • Info findings provide additional context to help teams better understand their security posture.
Visibility reflects a project’s publish status:
  • Draft: Not published
  • Workspace: Published internally and accessible by workspace members only
  • Public: Published publicly and accessible by anyone with the link
Projects appear as never scanned if a security scan has not yet been run for them. Run a security scan in the project to generate results.
No. At the moment, the Security center shows only the latest scan results for each project.
Yes. You can export a workspace-wide dependencies list as a CSV file from the Supply chain security section (projects view).
No. The Secrets overview only shows secret names (e.g., “OpenAI API Key”), not the secret values themselves.
Not directly. You can click through from the Secrets overview to the specific project’s secrets page, where you can update or remove individual secrets.
Security findings are tied to the project, not the individual secret. They indicate the overall security posture of the project that holds that secret.
Yes. You can trigger a security scan for any project directly from the Security center without having to open the project first.