New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
The best security scanner for Bolt.new apps tests the deployed site, not just the code. CheckVibe (from $0) leads for Bolt: 100+ checks including the Bolt-signature failure modes, plus SEO/AEO scanning no competitor offers. VibeEval, Vibe App Scanner, and Scanbee are strong security-only options.
TL;DR
Bolt.new optimizes for "running" over "hardened": scaffolds routinely inline API keys into the client bundle (anything `VITE_`-prefixed ships to the browser), skip Supabase RLS, leave CORS wide open, and ship zero security headers. Because the damage lives in the deployed bundle and backend config, URL-based scanning catches what code review misses.
Paste your deployed Bolt.new URL and get 100+ security checks plus 68 SEO and 46 AEO checks in about 30 seconds — no repo access, no setup. For Bolt specifically: it scans every served static asset for 100+ API key patterns (the classic Bolt failure mode) and verifies Supabase RLS and CORS configuration on the live app. Findings ship as copy-paste AI fix prompts, and monitoring (uptime, vitals, threats) covers you after launch.
Best for: All-in-one security + visibility, from $0
Autonomous browser-agent security testing of the live app — including behind auth walls and CAPTCHAs (their claim). Security-only. Lists Bolt.new as a supported platform.
Best for: Deep agent-based security testing
One-time security audits of the deployed app: exposed secrets, database access rules (Supabase/Firebase), headers, auth. No free scan tier listed as of June 2026. Lists Bolt.new as a supported platform.
Best for: A cheap one-off pre-launch security audit
Five security scanner types — DAST, SAST, SCA, CSPM (AWS), vulnerability assessment — accepting both URLs and GitHub repos, with a native Supabase integration. Lists Bolt as a supported platform.
Best for: Source + live + cloud security in one product
Eighteen tools in one cheap subscription — a 9-area security scan, basic SEO scan, Lighthouse speed, and utility generators. Lighter per category. Covers Bolt.new on its homepage; its 9-area security scan includes hardcoded secrets.
Best for: Budget multi-tool quick checks
Start with the free scan.
100+ security checks, 68 SEO checks, 46 AEO checks — one URL, about 30 seconds.
Run a free CheckVibe scanIf the app has users, data, or payments — yes. AI-generated apps ship with a consistent set of gaps (exposed keys, missing access control, no headers), and every tool on this list catches issues a manual click-through never will. Start with a free scan; the result settles the question.
A free scan is enough to find out where you stand today. Paid tiers buy continuity (scheduled scans, monitoring, alerts) and depth (more pages crawled, more checks). For a side project, free-tier scans before each launch may genuinely suffice.
Bolt scaffolds Vite apps, and Vite ships every environment variable prefixed `VITE_` into the public JavaScript bundle. AI scaffolds frequently put real keys there "to make it work". A URL-based scan reads the same bundle an attacker would and flags every recognizable key shape.
A pre-launch scan catches the launch-day disasters. But Bolt apps tend to change daily while you iterate, and each regeneration can reintroduce an old mistake — continuous or per-deploy scanning (CheckVibe scheduled scans, Vibe App Scanner's $99/mo plan) covers the drift.
Pricing and feature claims verified against these pages on June 12, 2026.
