The Security Scanner Blog

Findings, write-ups, and notes from scanning AI-built apps in the wild.

What we find when we point the scanner at apps built with Cursor, Lovable, Replit, Bolt, v0 — plus the occasional opinion on why it keeps happening.

Latest Case study Apr 12, 2026 · 2 min read

When your Anthropic key leaks: a case study

We found a live Anthropic + OpenAI + Google key trio in the same JS bundle. Here's what it looked like, how we found it, and what happens next.

Read the post →
Analysis Apr 7, 2026

Why Supabase RLS is the #1 vibe-coding mistake

One setting. Disabled by default. Exposes every user's data. Repeated across hundreds of apps. Here's why.

4 min read
Findings Apr 2, 2026

Top 5 security issues on Replit apps

Replit's quick-deploy is great. It also makes it really easy to ship your API keys to the internet.

3 min read
Findings Mar 29, 2026

Top 5 security issues we found on Lovable apps

We scanned ~50 published Lovable apps. About 1 in 5 of the Supabase-backed ones had at least one table readable by anyone. Here's the pattern.

3 min read
Product Mar 22, 2026

What Security Scanner actually does (and what it doesn't)

No marketing fluff — a direct walkthrough of every module we run.

4 min read
Product Mar 18, 2026

We're live: Security Scanner for the vibe-coding era

After months of scanning our own infrastructure and finding one hole too many, we're opening Security Scanner to everyone.

1 min read