Securie for Bolt.new — secret scan + auth specialist for AI-prototyped apps

roadmap

Bolt.new (StackBlitz) reached 5M+ registered users in 2025. Apps default to Vite-bundled clients where any wrong env-var prefix ships secrets to the browser. The auth pattern is opt-in — if you didn't say 'authenticated only', the route handler shipped without auth. Securie's role: secret_scanner on the bundle, AuthAuthz on the route handlers.

Updated

What it does

Bolt-generated apps fail in three canonical ways: (1) leaked API keys in the client bundle (VITE_-prefixed by mistake), (2) missing auth on route handlers (auth was opt-in in the prompt), (3) CORS set to '*' in dev that didn't get tightened for production. Securie's secret_scanner catches (1) at PR time; the AuthAuthz specialist catches (2); the cors_misconfig specialist catches (3).

When to use it

Any team shipping Bolt.new apps to real users. Especially teams shipping payment or auth flows.

Limitations

Roadmap status. Bolt-internal review (security findings inside Bolt's editor) is post-GA. See /safe/is-bolt-new-safe.

Install

  1. Connect Bolt.new's GitHub export to a real GitHub repo
  2. Install the Securie GitHub App on that repo
  3. Set up the Netlify or Vercel deploy gate (whichever Bolt.new is deploying through)
  4. Audit env vars: VITE_/PUBLIC_ only for public constants, never keys
  5. Push any commit; Securie reviews on the PR within 30-90 seconds

Listed on

Bolt.new