Skip to main content

What is the Security view?

The Security view shows security findings for a single project. It brings together results from Lovable’s built-in security scanners and findings from optional security connectors, such as Wiz and Aikido, so that you can understand risks, take action, and verify that your project is ready to publish. For details on how each scan works and when scans run, see Security overview. You’ll find the Security tab inside any Lovable project by going to More → Security in the project toolbar.
The Security view focuses on a single project.

Why use the Security view?

  • Review all project security sources in one place
    Built-in scan results and optional connector findings appear together, so you do not need to check separate tools to understand a project’s security status.
  • Catch issues early
    Security issues are easier to fix during development than after deployment. The Security view helps identify common problems such as misconfigured database access, insecure code patterns, or vulnerable dependencies before your app goes live.
  • Focus on what matters
    Not all security findings carry the same risk. Findings are categorized by severity so you can prioritize critical issues first and review lower-risk recommendations later.
  • Save time with guided fixes
    Many findings include automated remediation options or clear guidance. You can ask Lovable to fix specific issues directly and review the resulting changes.
  • Track security as your project evolves
    As your project changes, previous scan results may become outdated. The Security view clearly shows when scans need to be refreshed so you always know your project’s current security state.

Understanding scan status

The scan status at the top of the Security view shows whether your security results reflect your latest changes.
  • Up to date: All scans reflect the current version of your project.
  • Out of date: One or more scans have not run since the project changed.
  • Scanning: Scans are currently running.
Scan results are tied to a specific version of your code. When your project changes, earlier results may no longer be accurate and are marked as outdated.

Run Basic and Deep scans

Use the scan banner at the top of the Security view to run available scans and see the latest scan state. Depending on the current project state, you may see actions such as Basic security scan or Deep security scan. The Basic scan is a faster configuration and dependency check, while the Deep scan runs a more detailed agentic code review. Both actions are free and do not consume credits.
The Deep scan does not run automatically as you work. You can run it from the project security view, the workspace security center, or the publish dialog when the Basic scan passes.
You should run scans:
  • Before publishing
  • After significant code or database changes
  • When adding or updating dependencies
  • Periodically for production applications

Included security findings

The Security view brings together security findings for one project. Depending on your project setup and workspace integrations, it can include:
  • Basic scan findings: Database and dependency findings from row-level security (RLS) policy linting, database schema review, and dependency audits.
  • Deep scan findings: Agentic codebase review findings, including access control issues, unprotected backend endpoints, exposed secrets, unsafe input handling, and other code-level risks.
  • Wiz findings: Static analysis and software composition analysis results from a connected Wiz integration, including vulnerable dependencies and risky code patterns.
  • Aikido findings: Confirmed exploitable issues from AI penetration tests run through the Aikido connector.
  • Project dependencies: A list of project npm dependencies, known vulnerabilities, severity counts, fix actions, filters, and JSON export.
Findings are grouped by scanner and severity so you can understand where each issue came from, prioritize what matters, and decide whether to fix, ignore, or investigate further.

Review and fix security findings

All findings appear under Detected issues and are grouped by severity level. If the latest scan does not find anything, Lovable shows a No issues found state. This means the latest scan did not surface findings, but it does not guarantee that the project has no security risk. If any errors exist, the view defaults to showing them first.
  • Error: Critical problems that need your attention right away
  • Warning: Issues you should review and fix if necessary
  • Info: Suggestions to consider implementing
Click a finding to expand it and review full details, including:
  • Which scan produced the finding
  • A detailed explanation of the issue
  • Why the issue matters for security
  • Suggested remediation steps
You can address findings in several ways:
  • Fix a specific finding
    Reference a finding in chat to ask Lovable to analyze or fix that issue. This is treated as standard chat usage and consumes credits.
  • Fix multiple findings at once
    Use Try to fix all to attempt automatic remediation for all findings in the current filter. It requires the Deep scan results to be up to date. This action is free and does not consume credits.
Always review the changes Lovable makes and test them thoroughly. If a finding does not apply to your use case, you can ignore it by providing a reason. Ignored findings remain visible, are marked with an ignored label, and can be restored at any time. Ignoring findings should be a deliberate decision. If you are unsure whether a finding applies, ask Lovable for clarification before ignoring it. Running scans and using automated fix actions in the Security view are free. Conversational security reviews in chat, and referencing a finding in chat, consume credits. See Security overview for details.
Let Lovable automatically fix eligible findingsDepending on your workspace and project settings, Lovable can automatically fix eligible Basic scan findings, such as common row-level security (RLS) and database access issues, during regular agent work. See Let Lovable automatically fix eligible findings for how workspace and project settings interact, and which findings are eligible.

Review project dependencies

The Security view shows a Project dependencies section with a count of project npm packages and known vulnerabilities. Click Review to open the dependency list. From there, you can see:
  • Package name and version
  • Vulnerability counts by severity, including critical, high, and medium
  • A Fix here action for vulnerable packages
You can also:
  • Search dependencies by package name
  • Filter to show only packages with vulnerabilities
  • Click Scan dependencies to refresh the dependency audit
  • Click Download list to download a JSON report of all dependencies and vulnerabilities for audits or compliance reviews
Keeping dependencies up to date is one of the most effective ways to reduce security risk over time, especially as new vulnerabilities are disclosed.

Improve scan accuracy with security memory

Click Edit security memory to open the security memory document for your project. This document is shared with the security scanner and Lovable agent and guides how it evaluates your project. The document should cover the following:
  • A short description of how your app works from an access control perspective. For example, whether it has authenticated users, what roles exist, or whether it handles sensitive data.
  • What should never happen within your app’s business logic. For example, users reading each other’s private data, or unauthenticated access to admin actions.
  • What not to create vulnerabilities for. This section is also updated when the agent accepts a risk during a scan. Each entry is one line explaining what risk is accepted. Do not use this section to dismiss legitimate security issues.
The security scanner reads this document before each scan and uses it to tailor recommendations and reduce false positives for your specific project. You do not need to fill in all sections immediately. Add context as you learn more about your app’s security posture.
Don’t use the security memory to dismiss legitimate security issues. Focus on providing context about your app’s purpose, users, and data sensitivity.

Best practices for using the Security view

The Security view is designed for ongoing use throughout development, not just a final check before publishing. The following best practices reflect how builders commonly use it.
  • Keep security findings current
    Review findings regularly and refresh scans when results become outdated, especially after adding features, changing database access, or updating dependencies.
  • Prioritize critical issues
    Address error-level findings before warnings or informational items. Critical findings often represent exploitable vulnerabilities.
  • Use both scanning approaches
    Use the built-in Basic and Deep scans in the Security view for structured checks and targeted fixes. Complement them by periodically asking Lovable to “review my app’s security” in chat for a narrative analysis that may catch issues the automated scans miss. If your workspace uses Wiz or Aikido, review those connector findings alongside Lovable’s built-in scan results.
  • Manage dependency risk proactively
    Regularly review the dependency section and address high-severity vulnerabilities promptly.
  • Review and verify fixes
    Automated fixes can save time, but always review the changes and test your app before continuing development.
  • Be deliberate when ignoring findings
    Ignore findings only when they clearly do not apply. Revisit ignored findings as your project evolves.
  • Continue monitoring after publishing
    Publishing is not the end of security work. Monitor new findings as your app changes over time.
Automated scans help catch common issues, but they cannot guarantee complete security. For apps handling sensitive data or critical functionality, consider an additional professional security review.

FAQ

You’ll find the Security tab inside any Lovable project by going to More → Security in the project toolbar.
A scan’s results are outdated when your project has changed since the last run. Click Basic scan or Deep scan to refresh results. Actions on outdated findings are disabled to prevent acting on stale information.
Basic scan is a faster configuration and dependency check. It looks for common database issues and vulnerabilities in dependencies. Deep scan runs a more detailed agentic code review and usually takes longer. Both actions are free and do not consume credits.Asking Lovable to review your app’s security in chat triggers a separate AI-driven review that provides a narrative report and recommendations. It does not update scan results or scan status. Conversational security reviews in chat consume credits.These approaches are complementary.
Yes. Continue monitoring security after publishing, especially when adding features or updating dependencies.
Lovable warns you before publishing if critical issues exist. You can choose to publish anyway, but this is strongly discouraged since critical findings typically represent exploitable vulnerabilities.
If your workspace has Block publishing with critical findings enabled, you need to resolve the critical issues before you can publish.