Vibe coding platforms have a security problem, and Lovable has been at the center of it. Now the company is trying to make safety a default rather than an afterthought. Lovable shipped a new security experience that runs a scan automatically every time you hit publish, with an optional AI agent that quietly fixes problems as you keep building.

According to Lovable, a basic security scan now runs automatically every time you publish, covering database configurations, RLS policies, and cloud project settings in about 10 to 15 seconds. It runs for everyone, whether you ask for it or not.

What the scan actually checks

When you click publish, the scan kicks off in the background. In about 10 to 15 seconds, it checks for the most common and impactful issues: database misconfigurations, missing RLS policies, and authorization gaps.

RLS, or Row Level Security, is the access-control system in Postgres databases that decides which rows of data each user can see or change. Get it wrong and anyone with your public API key can read your entire database.

By the time the publish dialog finishes loading, you see one of three outcomes: the scan passed, warnings were found, or critical issues were found. If you or your workspace admin enabled publish blocking, you must fix the critical ones first. Publish blocking is an Enterprise-only gate.