Session 7
Security: scan before you ship
Goal. Run Lovable's security scan and fix what it flags before real users — and their data — arrive.
▶ Try this prompt
Run a security scan on my app and fix any high-severity issues you find.
Open the Security view in your project. Lovable also re-checks security automatically at publish time.
- 1Run a scan from the Security view. The Basic scan lints your row-level-security (RLS) policies, reviews the database schema, and audits dependencies; the Deep scan reads the codebase for access-control gaps, unprotected endpoints, exposed secrets, and unsafe input handling.
- 2Findings are graded Error / Warning / Info — open one, read the recommended fix, have Lovable apply it, then re-scan until it's clean.
- 3Optionally connect Wiz for static-analysis + dependency scanning alongside the native checks. Re-run the scan before each publish and after any big change.
You'll see. A graded list of security issues with one-click fixes — and a clean re-scan.
Cost. Both the Basic and Deep scans are free and don't use credits — and so is Try to fix all from the Security view. Only a chat-based 'review my security' counts as a normal (credit-using) message. Wiz needs a connected Wiz account.
Takeaway. A real vulnerability scan ships in the box — run it before every publish, especially once your app holds personal, customer or lab data.