Skip to main content
Project Security Center showing agent security scan results with categorized vulnerabilities by severity

What is the Project Security Center?

The Project Security Center is your project’s central hub for finding and fixing security and privacy vulnerabilities before you publish. Open the Security pane in your Project to see a summary of all known issues across your codebase — this is where you go to run security scans on your app. The Project Security Center supports two types of scans:
  • Automatic dependency scans — free, lightweight scans that check your project’s packages against known vulnerability databases
  • Agent security reviews — comprehensive, AI-powered reviews that combine LLMs with deterministic static code analysis tools to audit your entire codebase
Both scan types surface results in the same Security pane, organized by severity so you can focus on the most impactful issues first.

Understanding scan results

Results from both scan types appear in the Security pane, categorized by severity level:
  • Critical: Vulnerabilities that pose an immediate risk and should be addressed before publishing. Examples include remote code execution, SQL injection in exposed endpoints, and leaked credentials.
  • High: Serious issues that could be exploited under certain conditions, such as cross-site scripting (XSS), insecure authentication flows, or unpatched dependencies with known exploits.
  • Medium: Issues that represent a potential risk but are less likely to be exploitable, such as missing security headers or overly permissive CORS configurations.
  • Low / Informational: Minor issues or best-practice recommendations, such as deprecated API usage or verbose error messages in production.

Automatic dependency scans

Automatic dependency scans audit the packages your project depends on against known vulnerability databases. These scans are free and run automatically. Dependency scanning supports Node.js/npm, Python, Go, Rust, PHP, and Ruby. For example, a scan might flag a known vulnerability in an outdated package like express@4.18.2. Some dependency issues can be updated automatically, while others may require manual changes or may not have a fix available.

Agent security scans

Agent security scans go beyond dependency checks to perform a comprehensive audit of your entire codebase. Security Agent uses LLMs alongside deterministic static code analysis tools like Semgrep and HoundDog.ai to find vulnerabilities that pattern-matching alone would miss.
Agent security scans are available to all paid Replit users. For larger projects, a deep audit can take up to 15 minutes to ensure a thorough assessment.

What Security Agent does

When you start an agent security scan, Security Agent performs a full review of your codebase:
  1. Maps your architecture — identifies routes, APIs, data flows, and entry points
  2. Builds a threat model — creates a customizable threat modeling plan for your application
  3. Runs static analysis — uses Semgrep and HoundDog.ai to scan for code-level vulnerabilities and privacy issues
  4. Analyzes findings with AI — evaluates whether flagged issues are actually exploitable in your application’s context, significantly reducing false positives
  5. Generates a findings report — presents identified risks for your review
Agent security scans cover a broad range of vulnerability categories:
  • Static analysis (SAST) issues: Insecure code patterns like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF)
  • Privacy issues: Sensitive data flowing into risky sinks like logs, files, or third-party APIs
  • Architectural vulnerabilities: Security gaps in how your routes, APIs, and data flows are structured
For example, the review might flag an unparameterized database query: 
const query = `SELECT * FROM users WHERE username = '${userInput}'`;
Or code that logs sensitive user data: 
logger.info("New signup", {
  email: user.email,
  phoneNumber: user.phoneNumber,
  address: user.address,
});

Starting an agent security scan

1
Open the Security pane in your Project to launch the Project Security Center.
2
Select Run Scan with Agent.
3
Optionally customize the threat modeling prompt to focus on specific areas of your application.
4
Wait for the review to complete. This typically takes a few minutes, but can take up to 15 minutes for larger projects.
After the review completes, Security Agent generates a report of identified risks. You can review the vulnerability details, dismiss findings you understand and are willing to accept, or revise findings before sending them for remediation. Once you’ve reviewed the findings, pass the accepted issues to Replit Agent for remediation. Security Agent automatically organizes vulnerabilities into separate tasks, enabling Replit Agent to fix multiple issues in parallel. After fixes are applied, run another scan to confirm the issues are resolved.

Limitations and best practices

  • Privacy and data handling: All scanning runs on Replit infrastructure. Your code and data are not sent to Semgrep, HoundDog.ai, or other third parties. Scan configuration and results stay attached to your Replit App.
  • Language support:
    • Dependency scanning supports many popular ecosystems (including Node.js/npm, Python, Go, Rust, PHP, and Ruby).
    • Automatic dependency fixing is currently focused on Node.js/npm.
  • Not a full security review: Use scans alongside code review, tests, and live app checks.
  • Re-run after changes: Run a scan again after:
    • Adding or updating dependencies
    • Making major code changes
    • Before publishing a new version
For best results, treat the Project Security Center as part of your normal development workflow, not a one-time check. Run an agent security review every time you publish major changes to your app.

Next steps