SimplyScan vs Built-In Platform Security: What Lovable, Cursor, Bolt, Replit & Windsurf Actually Check
Every AI coding platform now claims to have security features. But what do they actually check? We compared SimplyScan's 13-category, 40+ check scan against what each platform offers built-in.
By Paula C · Kraftwire Software
· 8 min readEvery Platform Claims Security - But What Do They Actually Check?
AI coding platforms have started adding security features. That's a good thing. But when you look at what each platform actually scans for, the gaps become clear.
We researched exactly what Lovable, Cursor, Bolt, Replit, and Windsurf offer for security - and compared it to SimplyScan's 13-category, 40+ check security scan.
What SimplyScan Checks (13 Categories, 40+ Checks)
SimplyScan scans your deployed application and/or source code across 13 distinct security categories:
| # | Category | What We Check |
|---|----------|---------------|
| 1 | **Secrets** | API keys, tokens, credentials exposed in JavaScript bundles |
| 2 | **Frontend** | Environment variables leaked in client-side code |
| 3 | **Supabase** | Missing or weak Row Level Security policies |
| 4 | **Auth** | JWT issues, hardcoded passwords, weak hashing, missing auth |
| 5 | **Injection** | SQL/NoSQL injection, eval(), Function(), command injection |
| 6 | **XSS** | dangerouslySetInnerHTML, innerHTML, unsanitized input |
| 7 | **Endpoints** | Unprotected API routes, missing auth middleware |
| 8 | **CSRF / Headers** | Missing security headers, CSRF vulnerabilities |
| 9 | **Config** | CORS wildcards, debug mode, insecure settings |
| 10 | **Architecture** | Exposed DB strings, missing rate limiting, client-side logic |
| 11 | **Performance** | Blocking I/O, N+1 queries, missing caching (DoS risks) |
| 12 | **Vibe Code** | Generic variables, missing error handling, no input validation |
| 13 | **AI Security** | Prompt injection vectors, AI API key exposure |
Plus: GitHub repo scanning (Pro), AI fix prompts, PDF export, scan history, and remediation guides.
Now let's look at what each platform offers.
---
Lovable: Security Checker
Lovable has invested heavily in security with their "Security Checker 2.0." Here's what it covers:
**What Lovable checks:**
✅ Exposed secrets in code
✅ Third-party dependency vulnerabilities (supply chain)
✅ Supabase RLS issues (via Supabase Security Advisor)
✅ Real-time notifications for findings
✅ 20+ Lovable-specific policies for prompt safety
**What Lovable doesn't check:**
❌ XSS patterns (dangerouslySetInnerHTML, innerHTML)
❌ SQL/NoSQL injection vectors
❌ CSRF protection or security headers
❌ Unprotected API endpoints
❌ Architecture risks (rate limiting, IDOR)
❌ Performance-as-security risks (N+1 queries, blocking I/O)
❌ AI-specific risks (prompt injection in your app)
❌ Vibe code quality patterns
❌ Configuration issues (CORS, debug mode)
**Summary:** Lovable's scanner focuses on secrets, dependencies, and Supabase RLS - the three most critical categories. It's effective for what it covers. But it doesn't scan your application code for injection, XSS, CSRF, endpoint security, architecture issues, or AI risks. That's 10 categories it doesn't touch.
---
Cursor: No Built-In Security Scanner
Cursor is a code editor, not a platform - and it has **no built-in security scanning** whatsoever.
**What Cursor provides:**
✅ SOC 2 compliance (for their own infrastructure)
✅ Privacy mode option (code not stored on servers)
✅ Workspace trust settings (inherited from VS Code)
**What Cursor doesn't check:**
❌ No code scanning of any kind
❌ No secret detection
❌ No dependency auditing
❌ No RLS or database checks
❌ No XSS, injection, or CSRF detection
❌ No endpoint security analysis
❌ No security headers check
**Summary:** Cursor's security is about protecting *their platform and your code privacy* - not about checking *the code you write* for vulnerabilities. You need a completely separate tool for application security. Third-party extensions like Aikido or Semgrep can add some SAST capability, but they're not built in and don't cover all 13 categories.
---
Bolt.new: Automated Security Audits (New)
Bolt recently launched automated security audits. Here's what we know:
**What Bolt checks:**
✅ Automated security audits before deployment
✅ Basic vulnerability scanning
✅ Some configuration checks
**What Bolt doesn't check:**
❌ No Supabase/database RLS analysis (Bolt doesn't use Supabase natively)
❌ Limited injection detection
❌ No XSS pattern scanning
❌ No security headers analysis
❌ No architecture risk assessment
❌ No performance security checks
❌ No AI security analysis
❌ No repo-level scanning (source code analysis)
❌ No remediation guides or AI fix prompts
**Summary:** Bolt's security audits are a recent addition and focus on basic pre-deployment checks. The scope is narrower than what SimplyScan covers - no deep code analysis across 13 categories, no repo scanning, and no actionable fix prompts.
---
Replit: Security and Privacy Scanner (Semgrep + HoundDog)
Replit has the most mature built-in scanner among AI coding platforms, powered by Semgrep Community Edition and HoundDog.ai.
**What Replit checks:**
✅ Dependency vulnerabilities (npm, Python, Go, Rust, PHP, Ruby)
✅ Static analysis / SAST (SQL injection, insecure patterns)
✅ Malicious file detection (supply chain attacks)
✅ Privacy issues (sensitive data in logs, files, APIs)
✅ "Fix with Agent" - AI-powered remediation
✅ Automatic dependency updates (Node.js)
**What Replit doesn't check:**
❌ No Supabase/database RLS analysis
❌ No deployed app scanning (only source code)
❌ No security headers or CSRF checks
❌ No endpoint authentication analysis
❌ No architecture risk assessment (rate limiting, IDOR)
❌ No performance security checks
❌ No AI-specific security (prompt injection)
❌ No vibe code quality patterns
❌ Limited to Replit projects only
**Summary:** Replit's scanner is strong on SAST and dependency scanning - better than most platforms. But it only works on Replit projects, doesn't scan deployed apps, and misses entire categories like endpoints, CSRF, architecture, performance, and AI security. It also can't scan your Supabase or Firebase database policies.
---
Windsurf: No Built-In Security Scanner
Like Cursor, Windsurf is a code editor without built-in security scanning.
**What Windsurf provides:**
✅ Code runs locally (your code stays on your machine)
✅ Enterprise security features (SSO, audit logs)
✅ Admin controls for organizations
**What Windsurf doesn't check:**
❌ No code scanning of any kind
❌ No secret detection
❌ No dependency auditing
❌ No database security checks
❌ No XSS, injection, or CSRF detection
❌ No endpoint security analysis
**Summary:** Windsurf focuses on enterprise platform security, not application security. Like Cursor, you need a separate tool to scan the code you write. Third-party extensions are available but not integrated.
---
The Full Comparison
| Category | SimplyScan | Lovable | Cursor | Bolt | Replit | Windsurf |
|----------|-----------|---------|--------|------|--------|----------|
| **Exposed Secrets** | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ |
| **Frontend Leaks** | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| **Database RLS** | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| **Auth Issues** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Injection** | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| **XSS** | ✅ | ❌ | ❌ | ❌ | ⚠️ | ❌ |
| **Endpoints** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **CSRF / Headers** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Config** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Architecture** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Performance** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Vibe Code** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **AI Security** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Dependencies** | ❌ | ✅ | ❌ | ❌ | ✅ | ❌ |
| **Privacy/PII** | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
| **Malicious Files** | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
| **Repo Scanning** | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| **AI Fix Prompts** | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| **PDF Export** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| **Works Anywhere** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
⚠️ = Partial coverage via Semgrep rules
---
The Key Differences
1. SimplyScan Is Platform-Agnostic
Platform scanners only work on their own platform. Lovable's scanner only works on Lovable apps. Replit's scanner only works on Replit projects. SimplyScan works on **any deployed web application** - regardless of which tool built it.
Built with Lovable? Scan it. Built with Cursor + Vercel? Scan it. Built with Bolt? Scan it. Hand-coded? Scan it.
2. SimplyScan Covers Categories Others Don't Touch
No platform scanner checks for:
**CSRF protection and security headers** - critical for production apps
**Architecture risks** - rate limiting, IDOR, client-side business logic
**Performance as security** - N+1 queries and blocking I/O create DoS vectors
**AI-specific risks** - prompt injection in your app's AI features
**Vibe code quality** - patterns unique to AI-generated code
3. SimplyScan Scans Deployed Apps
Most platform scanners only analyze source code. SimplyScan scans your **live deployed application** - the JavaScript bundles, network requests, and API responses that real users (and attackers) see. This catches issues that source-only scanning misses, like secrets that get bundled during build or RLS policies that fail at runtime.
4. Complementary, Not Competitive
SimplyScan doesn't replace platform scanners - it fills the gaps they leave. Use your platform's built-in security features *and* SimplyScan together:
**Lovable + SimplyScan** → Lovable catches secrets and RLS basics; SimplyScan adds 10 more categories
**Replit + SimplyScan** → Replit handles dependencies and SAST; SimplyScan adds endpoint, CSRF, architecture, and AI security
**Cursor/Windsurf + SimplyScan** → These editors have no scanner; SimplyScan provides all 13 categories
Start Scanning
Run a free SimplyScan scan to check 3 core categories on any deployed web app. Go Pro for all 13 categories, 40+ checks, GitHub repo scanning, AI fix prompts, and PDF export at $29/month.
Platform-Specific Guides
[Is Lovable Safe?](/blog/is-lovable-safe)
[Is Cursor Safe?](/blog/is-cursor-safe)
[Is Bolt.new Safe?](/blog/is-bolt-safe)
[Is Replit Safe?](/blog/is-replit-safe)
[Is Windsurf Safe?](/blog/is-windsurf-safe)
[How to Read Your Scan Report](/blog/how-to-read-scan-report)
Scan Your Platform
[Lovable Security Scanner](/security-scanner/lovable)
[Bolt.new Security Scanner](/security-scanner/bolt)
[Cursor Security Scanner](/security-scanner/cursor)
[Replit Security Scanner](/security-scanner/replit)
[v0 Security Scanner](/security-scanner/v0)