Platform guides
- Is My Lovable App Secure? — Run a Non-Destructive Scan
- Bolt.new — coming soon
- v0 by Vercel — coming soon
- Replit — coming soon
Why AI-built apps need a security check
AI code generators are excellent at creating working features quickly. They are less reliable at enforcing security defaults: Supabase Row Level Security disabled, anon keys shipped in the frontend bundle, missing Content-Security-Policy and X-Frame-Options headers, wide CORS policies. None of these are bugs in the AI — they are missing steps in a fast-ship workflow that a one-time non-destructive scan can surface in minutes.
Read the AI-generated code security checklist for the full list of what to look for.
What pentes.io checks
Every scan covers the surface an AI-built app most commonly leaves exposed:
- Security headers — Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy
- Exposed files —
.env,.env.local,.env.production, backup files,.git/exposure - TLS configuration — certificate chain completeness, cipher suite quality, HSTS presence
- Reachable endpoints — public routes that respond without authentication
- Known vulnerability signatures — nuclei detection sweep against the public surface
The scan does not test authentication, does not brute-force, and does not deliver payloads. It reads the public surface the same way an attacker would in passive reconnaissance — except the result goes to you, the owner.
The Vibe Coder tier
pentes.io's Vibe Coder plan is $14.99/month for 100 scans. That is enough to scan every deploy you ship in a month, plus re-scans after you fix findings. No enterprise contract, no sales call. Sign up, add a domain, verify ownership, scan.