The Security center helps teams identify risks, prioritize fixes, and track security coverage across projects at scale.Documentation Index
Fetch the complete documentation index at: https://docs.lovable.dev/llms.txt
Use this file to discover all available pages before exploring further.
- Available on: Business and Enterprise plans
- Access: Workspace admins and owners
- Location: Settings → Workspace → Security center
What the Security center shows
The Security center is organized into four main sections, each focused on a different aspect of workspace security. It combines code analysis, supply chain security, secrets management, and authentication policy into a single workspace-level view. Each tab that supports export shows an Export dropdown in the top-right corner. The dropdown offers options to export everything or export only the current filtered view. All exports are downloaded as CSV files.Code analysis
Review security findings from automated security scanning across all projects in your workspace. Summary cards provide an at-a-glance view of total projects, projects with findings, and scan coverage.- Errors: Critical security issues that require immediate attention
- Warnings: Important security concerns that should be reviewed
- Info: Informational findings that provide additional context
- Scan status: When projects were last scanned, including live scanning indicators
- Visibility: The project’s publish status, whether it is draft (not published), workspace (published internally to the workspace), or public (published publicly)
- CSV export: Export the projects table as a CSV file. The export includes project name, project ID, visibility, error/warning/info counts, last scan date, and last edited date.
Supply chain security
Monitor dependency vulnerabilities across your entire workspace. Summary cards highlight vulnerability counts by severity and overall scan coverage.- Two views: Review vulnerabilities by project or by vulnerability
- Vulnerabilities by severity: Categorized as critical, high, or medium
- Affected projects: Which projects use vulnerable dependencies
- Vulnerable packages: Package names, affected versions, and fixed versions when available
- CSV export: The Export dropdown offers multiple options depending on the active view:
- Export full dependency list: Downloads a complete list of all packages across all projects (generated server-side)
- Export all projects or Export all vulnerabilities: Downloads the full projects or vulnerabilities table
- Export current filter: Downloads only the filtered results when filters are active
Secrets overview
View all secrets across every project in your workspace from a single table. The Secrets overview gives admins visibility into what secrets exist and which projects they belong to. For each secret, you’ll see:-
Secret name: The name of the secret (for example,
OpenAI API Key). Secret values are never shown. - Associated project: The project the secret belongs to
- Type: The type of secret, whether it is user-created or Lovable-generated
- Visibility: The associated project’s publish status, whether it is draft (not published), workspace (published internally to the workspace), or public (published publicly)
- Creation date: When the secret was added
- Security findings: Project-level security findings and severity
-
CSV export: The Export dropdown offers multiple options:
- Export everything: Downloads the full secrets table across all projects
- Export current filter: Downloads only the filtered results when filters are active
Security findings shown alongside secrets are tied to the project, not the individual secret.
Auth policy
Configure which sign-in methods are available across your workspace. Disabled methods are locked for all projects — project owners cannot re-enable them, and changes take effect immediately. Supported sign-in methods:- Email (magic link)
- Phone (SMS)
- Apple
- SAML (SSO)
Why use the Security center
The Security center helps teams stay on top of security issues by making risks visible, comparable, and actionable across projects.- Centralized oversight
Review security findings across your entire workspace without opening projects individually. - Clear prioritization
Focus on projects with critical errors, high-severity vulnerabilities, or outdated scans. - Visibility into scan coverage
See which projects are up to date and which may need security reviews. - Dependency risk awareness
Understand how vulnerable dependencies affect multiple projects and coordinate updates efficiently. - Secrets visibility
See every secret across your workspace in one place, identify stale credentials, and manage secrets from a centralized view.
Running security scans
In addition to viewing results, you can trigger security scans from the Code analysis tab without opening individual projects.- Run scans centrally: Start a security scan for any project from the Code analysis tab
- Last scan timestamps: See when each project was last scanned so you can identify outdated results at a glance
- Risky project identification: Spot projects that are public or recently changed but have outdated or missing scan results
- Never-scanned detection: Flag projects that have never been scanned, catching cases where the scanning process may have been skipped entirely
Common use cases
The Security center supports both routine reviews and time-sensitive security work, including:- Release readiness and audits
Confirm projects meet security standards before shipping or compliance reviews. - Project onboarding and handoffs
Ensure inherited or transferred projects have been scanned and don’t introduce security risks. - Critical vulnerability response
Quickly identify affected projects when new dependency issues are announced. - Secret auditing
Search for a specific API key by name and see every project that uses it, making it easy to audit usage or coordinate key rotation. - Stale secret cleanup
Sort secrets by creation date to find old credentials tied to unused projects, and remove them to reduce unnecessary exposure. - Security reporting
Export dependency or secrets data as CSV files when you need a point-in-time snapshot for audits, reviews, or internal tracking. - Ongoing monitoring
Regularly review findings and address new issues as part of a weekly or monthly cadence.
Best practices for using the Security center
The Security center is designed for ongoing review rather than a fixed workflow. The following best practices reflect how teams commonly use it.- Start with the workspace overview
Review overall security status to understand how many projects have errors, warnings, or outdated scans. - Prioritize projects that need attention
Use filters to focus on projects with critical errors, high-severity vulnerabilities, or recent warnings. - Check scan freshness
Identify projects that haven’t been scanned recently and may need updated security reviews. - Review dependency vulnerabilities
Inspect vulnerable packages by severity to see which issues affect multiple projects and require coordinated updates. - Take action within individual projects
Use the View action on a project to open its security details, run new scans, update dependencies, and resolve findings in the Project security view.
FAQ
Who can access the Security center?
Who can access the Security center?
Workspace admins and owners on Business and Enterprise plans can access the Security center at Settings → Workspace → Security center.
Does the Security center run scans automatically?
Does the Security center run scans automatically?
No. It displays the most recent scan results for each project. You can run a security scan for any project directly from the Security center, or run one from within the project itself.
What’s the difference between errors, warnings, and info?
What’s the difference between errors, warnings, and info?
- Errors are critical security issues that should be resolved before publishing.
- Warnings are important concerns that may not be critical but should be reviewed.
- Info findings provide additional context to help teams better understand their security posture.
What does "visibility" mean?
What does "visibility" mean?
Visibility reflects a project’s publish status:
- Draft: Not published
- Workspace: Published internally and accessible by workspace members only
- Public: Published publicly and accessible by anyone with the link
Why do some projects show as never scanned?
Why do some projects show as never scanned?
Projects appear as never scanned if a security scan has not yet been run for them. Run a security scan in the project to generate results.
Does the Security center show historical data?
Does the Security center show historical data?
No. At the moment, the Security center shows only the latest scan results for each project.
Can I export security data?
Can I export security data?
Yes. Use the Export dropdown in the top-right corner. Export is available on the Code analysis, Supply chain security, and Secrets overview tabs.All exports are CSV files. Secret values are never included in any export.
Can I see actual secret values in the Secrets overview?
Can I see actual secret values in the Secrets overview?
No. The Secrets overview only shows secret names (for example,
OpenAI API Key), not the secret values themselves. Secret values are never included in exports.Can I update a secret from the Security center?
Can I update a secret from the Security center?
Not directly. You can click through from the Secrets overview to the specific project’s secrets page, where you can update or remove individual secrets.
What do security findings mean on a secret row?
What do security findings mean on a secret row?
Security findings are tied to the project, not the individual secret. They indicate the overall security posture of the project that holds that secret.
Can I run a security scan from the Security center?
Can I run a security scan from the Security center?
Yes. You can trigger a security scan for any project directly from the Security center without having to open the project first.