Bolt security scan
Scan your Bolt app for exposed keys and open databases
Bolt makes shipping fast, and fast-shipped apps often leave a database open or a secret in the browser bundle. The scan checks the handful of gaps that actually bite people.
A sample of what you might see
The public key in your bundle can read a table it should not, which usually means Row Level Security is off.
{ "id": 1, "owner_email": "•••@•••.com" }Illustrative, redacted. We never store your data.
It reads only what a browser already downloads from your live app and checks your database access from the outside.
JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.
Questions
Is the scan safe to run on my Bolt app?
Yes. It is read-only and outside-in, never logs in, never writes, and never runs a write test. See the scanner-safety page for detail.
Does it work for any Bolt app?
It works for deployed JavaScript and TypeScript apps reachable at a public URL. Paste the link and confirm you own it.
Which check do I need?
Check my live app
Scan a deployed URL for what it leaks to any visitor: exposed keys, open databases, reachable files.
Free instant scan →
Check my repo / CI hygiene
Review your GitHub Actions and repository config for security gaps in how you build and ship.
Repo & CI check →
Get it fixed
We verify the issues, fix them, and prove the fix in a reviewable pull request.
See packages →