# How to run security checks in Replit

- Tool: Replit
- Difficulty: Beginner
- Time required: 15-20 minutes
- Compatibility: All Replit plans (Starter, Core, Pro). Works with Node.js (npm audit) and Python (pip-audit) projects.
- Last updated: March 2026

## TL;DR

You can run automated security scans in Replit by using npm audit for Node.js or pip-audit for Python directly in the Shell tab. These tools check your dependencies for known vulnerabilities and suggest fixes. Combine them with proper Secrets management and a pre-deployment audit step in your .replit build command to catch security issues before they reach production.

## Run Security Scans on Your Replit Project to Catch Vulnerabilities Early

This tutorial walks you through setting up automated security scanning in Replit so you can identify vulnerable dependencies, exposed secrets, and common security issues before deploying. You will learn how to run dependency audits from the Shell, integrate scans into your build process, and follow Secrets hygiene practices that prevent accidental credential exposure. No security experience is required — these are straightforward tools that report issues in plain language.

## Before you start

- A Replit account (free Starter plan works for scanning, Core or Pro needed for deployment)
- A Replit App with Node.js or Python dependencies installed
- Basic familiarity with the Replit Shell tab
- No prior security or DevOps experience required

## Step-by-step guide

### 1. Run a dependency audit in the Shell

Open the Shell tab in your Replit workspace. For Node.js projects, run npm audit to scan all packages in node_modules for known vulnerabilities. For Python projects, install pip-audit first, then run it. Both tools check your installed packages against public vulnerability databases (the GitHub Advisory Database for npm, the Python Advisory Database for pip-audit) and report any issues with severity ratings from low to critical.

```
# For Node.js projects:
npm audit

# For Python projects:
pip install pip-audit
pip-audit
```

**Expected result:** The audit tool prints a table of vulnerabilities (if any) with severity levels, affected packages, and recommended fix versions. If no vulnerabilities are found, it prints 'found 0 vulnerabilities.'

### 2. Fix reported vulnerabilities

For Node.js projects, run npm audit fix to automatically update packages to patched versions where possible. Some fixes require major version bumps that may introduce breaking changes — npm audit fix --force handles these but review the changes carefully. For Python projects, pip-audit suggests updated versions in its output. Update specific packages with pip install package==version. Always test your app after updating to make sure nothing broke.

```
# Auto-fix Node.js vulnerabilities:
npm audit fix

# For breaking changes that need major updates:
npm audit fix --force

# For Python, update specific packages:
pip install requests==2.31.0
```

**Expected result:** Re-running npm audit or pip-audit after fixing shows fewer or zero vulnerabilities. Your app runs without errors after the updates.

### 3. Review your Secrets hygiene

Open Tools in the left sidebar and click Secrets. Verify that all API keys, database credentials, and tokens are stored here — not hardcoded in your source files. Search your code files for common patterns like 'sk-', 'api_key =', 'password =', or 'Bearer' to find any credentials that may be embedded directly in code. Move any found values to Secrets and replace them with os.getenv() or process.env references. Remember that collaborators can see Secret values, and remixers can see Secret names but not values.

```
# Python — correct way to access secrets:
import os
api_key = os.getenv("API_KEY")

# Node.js — correct way to access secrets:
const apiKey = process.env.API_KEY;

# WRONG — never do this:
api_key = "sk-abc123..."  # Hardcoded secret!
```

**Expected result:** All sensitive values are stored in Tools → Secrets and accessed through environment variables. No API keys or passwords appear in your source code.

### 4. Add a security scan to your build command

To catch vulnerabilities automatically before every deployment, add an audit step to the build command in your .replit file. Open .replit (enable Show hidden files if needed) and modify the deployment build command to run the audit before building. Using npm audit --audit-level=high makes the build fail only for high or critical severity issues, so minor advisories do not block deployments unnecessarily.

```
# .replit
[deployment]
build = ["sh", "-c", "npm audit --audit-level=high && npm run build"]
run = ["sh", "-c", "node index.js"]
deploymentTarget = "cloudrun"
```

**Expected result:** Deployments will fail if high or critical vulnerabilities are found in your dependencies, preventing insecure code from reaching production.

### 5. Check for common OWASP issues in your code

Beyond dependency scanning, review your code for the most common web application security issues from the OWASP Top 10. In Replit projects, the most relevant issues are: injection attacks (always use parameterized queries for database operations, never string concatenation), broken authentication (validate tokens server-side, not just client-side), and sensitive data exposure (use HTTPS-only, store secrets properly). These are manual checks, but knowing what to look for prevents the most common security failures.

```
# WRONG — SQL injection vulnerability:
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# CORRECT — parameterized query:
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

# WRONG — client-side only auth check:
if (localStorage.getItem('isAdmin')) { showAdminPanel(); }

# CORRECT — server-side validation:
// Validate the user's token on every API request server-side
```

**Expected result:** Your code uses parameterized queries for all database operations, validates authentication server-side, and does not expose sensitive data in client-side code.

## Complete code example

File: `security_check.sh`

```bash
#!/bin/bash
# security_check.sh — Run all security scans for a Replit project
# Execute in Shell: bash security_check.sh

echo "=== Replit Security Scan ==="
echo ""

# Step 1: Check for hardcoded secrets
echo "[1/4] Scanning for hardcoded secrets..."
SECRET_PATTERNS='(sk-|api_key|apikey|secret_key|password|token|Bearer )'
FOUND=$(grep -rn "$SECRET_PATTERNS" . \
  --include='*.py' --include='*.js' --include='*.ts' --include='*.jsx' --include='*.tsx' \
  --exclude-dir=node_modules --exclude-dir=.git \
  -i 2>/dev/null | grep -v 'os.getenv\|process.env\|os.environ\|getenv(' || true)

if [ -n "$FOUND" ]; then
  echo "WARNING: Possible hardcoded secrets found:"
  echo "$FOUND"
else
  echo "OK: No hardcoded secrets detected."
fi
echo ""

# Step 2: Run npm audit (Node.js projects)
if [ -f "package.json" ]; then
  echo "[2/4] Running npm audit..."
  npm audit --audit-level=high 2>/dev/null
  if [ $? -ne 0 ]; then
    echo "WARNING: High or critical vulnerabilities found."
  else
    echo "OK: No high/critical npm vulnerabilities."
  fi
else
  echo "[2/4] Skipped — no package.json found."
fi
echo ""

# Step 3: Run pip-audit (Python projects)
if [ -f "requirements.txt" ]; then
  echo "[3/4] Running pip-audit..."
  pip-audit 2>/dev/null
  if [ $? -ne 0 ]; then
    echo "WARNING: Python dependency vulnerabilities found."
  else
    echo "OK: No Python dependency vulnerabilities."
  fi
else
  echo "[3/4] Skipped — no requirements.txt found."
fi
echo ""

# Step 4: Check .replit for exposed env vars
echo "[4/4] Checking .replit for inline secrets..."
if [ -f ".replit" ]; then
  INLINE_SECRETS=$(grep -n 'KEY\|SECRET\|PASSWORD\|TOKEN' .replit 2>/dev/null | grep '=' || true)
  if [ -n "$INLINE_SECRETS" ]; then
    echo "WARNING: Possible secrets in .replit file:"
    echo "$INLINE_SECRETS"
  else
    echo "OK: No inline secrets in .replit."
  fi
fi

echo ""
echo "=== Security scan complete ==="
```

## Common mistakes

- **Hardcoding API keys directly in source code instead of using Secrets** — undefined Fix: Move all sensitive values to Tools → Secrets and access them with os.getenv('KEY') in Python or process.env.KEY in Node.js.
- **Ignoring npm audit warnings because the app 'works fine'** — undefined Fix: Vulnerabilities in dependencies can be exploited even if your app functions correctly. Run npm audit fix to patch known issues.
- **Using string concatenation to build SQL queries with user input** — undefined Fix: Always use parameterized queries: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,)) to prevent SQL injection.
- **Only checking authentication on the client side (in React components)** — undefined Fix: Always validate tokens and permissions server-side. Client-side checks are trivially bypassed with browser developer tools.

## Best practices

- Run npm audit or pip-audit before every deployment to catch newly disclosed vulnerabilities
- Store all API keys, passwords, and tokens in Tools → Secrets — never hardcode them in source files
- Use parameterized queries for all database operations to prevent SQL injection attacks
- Add --audit-level=high to your build command so only serious vulnerabilities block deployment
- Review OWASP Top 10 issues for web apps: injection, broken auth, and sensitive data exposure are the most common
- Remember that collaborators can see Secret values — limit collaborator access to trusted team members
- Keep dependencies updated regularly — outdated packages are the number one source of vulnerabilities
- Never commit .env files to Git — add .env to your .gitignore file

## Frequently asked questions

### Does Replit have a built-in security scanner?

No. Replit does not include a built-in vulnerability scanner as of March 2026. You need to run tools like npm audit (Node.js) or pip-audit (Python) manually in the Shell or add them to your build command.

### Is npm audit free to use in Replit?

Yes. npm audit is built into npm and runs for free. It checks your dependencies against the GitHub Advisory Database. pip-audit is also free and open source.

### Can Replit Agent fix security vulnerabilities for me?

You can ask Agent to run npm audit fix or update vulnerable packages. Prompt: 'Run npm audit and fix all high and critical vulnerabilities. Then verify the app still works.' Agent v4 will run the commands and test the results.

### Are my Secrets truly secure in Replit?

Secrets are AES-256 encrypted and transmitted over TLS. Collaborators can see names and values. Cover page visitors see nothing. Remixers see names but not values. For maximum security, rotate keys regularly and limit collaborator access.

### How do I prevent secrets from leaking into Git commits?

Never store secrets in source files. Use Tools → Secrets exclusively. If you accidentally committed a secret, rotate the key immediately, remove it from code, add it to Secrets, and force-push to remove it from Git history.

### What are the most common security issues in Replit projects?

Hardcoded API keys in source code, outdated dependencies with known vulnerabilities, SQL injection from string concatenation in queries, and client-side-only authentication checks. All four are preventable with the practices covered in this tutorial.

### Should I worry about CORS security in Replit deployments?

Yes. Replit's Replshield can add redirects that strip CORS headers, causing unexpected behavior in production. Deploy frontend and backend on the same Repl and use HTTPS exclusively to minimize CORS issues.

### What if my project needs a full security audit beyond dependency scanning?

Dependency scanning catches known vulnerabilities but does not cover custom code logic, authentication flows, or infrastructure configuration. For a comprehensive security review, the RapidDev engineering team can conduct a full audit covering OWASP Top 10 issues specific to your application.

---

Source: https://www.rapidevelopers.com/replit-tutorial/how-to-integrate-automated-security-scans-within-replit-projects
© RapidDev — https://www.rapidevelopers.com/replit-tutorial/how-to-integrate-automated-security-scans-within-replit-projects
