You can run automated security scans in Replit by using npm audit for Node.js or pip-audit for Python directly in the Shell tab. These tools check your dependencies for known vulnerabilities and suggest fixes. Combine them with proper Secrets management and a pre-deployment audit step in your .replit build command to catch security issues before they reach production.
Run Security Scans on Your Replit Project to Catch Vulnerabilities Early
This tutorial walks you through setting up automated security scanning in Replit so you can identify vulnerable dependencies, exposed secrets, and common security issues before deploying. You will learn how to run dependency audits from the Shell, integrate scans into your build process, and follow Secrets hygiene practices that prevent accidental credential exposure. No security experience is required — these are straightforward tools that report issues in plain language.
Prerequisites
- A Replit account (free Starter plan works for scanning, Core or Pro needed for deployment)
- A Replit App with Node.js or Python dependencies installed
- Basic familiarity with the Replit Shell tab
- No prior security or DevOps experience required
Step-by-step guide
Run a dependency audit in the Shell
Run a dependency audit in the Shell
Open the Shell tab in your Replit workspace. For Node.js projects, run npm audit to scan all packages in node_modules for known vulnerabilities. For Python projects, install pip-audit first, then run it. Both tools check your installed packages against public vulnerability databases (the GitHub Advisory Database for npm, the Python Advisory Database for pip-audit) and report any issues with severity ratings from low to critical.
1# For Node.js projects:2npm audit34# For Python projects:5pip install pip-audit6pip-auditExpected result: The audit tool prints a table of vulnerabilities (if any) with severity levels, affected packages, and recommended fix versions. If no vulnerabilities are found, it prints 'found 0 vulnerabilities.'
Fix reported vulnerabilities
Fix reported vulnerabilities
For Node.js projects, run npm audit fix to automatically update packages to patched versions where possible. Some fixes require major version bumps that may introduce breaking changes — npm audit fix --force handles these but review the changes carefully. For Python projects, pip-audit suggests updated versions in its output. Update specific packages with pip install package==version. Always test your app after updating to make sure nothing broke.
1# Auto-fix Node.js vulnerabilities:2npm audit fix34# For breaking changes that need major updates:5npm audit fix --force67# For Python, update specific packages:8pip install requests==2.31.0Expected result: Re-running npm audit or pip-audit after fixing shows fewer or zero vulnerabilities. Your app runs without errors after the updates.
Review your Secrets hygiene
Review your Secrets hygiene
Open Tools in the left sidebar and click Secrets. Verify that all API keys, database credentials, and tokens are stored here — not hardcoded in your source files. Search your code files for common patterns like 'sk-', 'api_key =', 'password =', or 'Bearer' to find any credentials that may be embedded directly in code. Move any found values to Secrets and replace them with os.getenv() or process.env references. Remember that collaborators can see Secret values, and remixers can see Secret names but not values.
1# Python — correct way to access secrets:2import os3api_key = os.getenv("API_KEY")45# Node.js — correct way to access secrets:6const apiKey = process.env.API_KEY;78# WRONG — never do this:9api_key = "sk-abc123..." # Hardcoded secret!Expected result: All sensitive values are stored in Tools → Secrets and accessed through environment variables. No API keys or passwords appear in your source code.
Add a security scan to your build command
Add a security scan to your build command
To catch vulnerabilities automatically before every deployment, add an audit step to the build command in your .replit file. Open .replit (enable Show hidden files if needed) and modify the deployment build command to run the audit before building. Using npm audit --audit-level=high makes the build fail only for high or critical severity issues, so minor advisories do not block deployments unnecessarily.
1# .replit2[deployment]3build = ["sh", "-c", "npm audit --audit-level=high && npm run build"]4run = ["sh", "-c", "node index.js"]5deploymentTarget = "cloudrun"Expected result: Deployments will fail if high or critical vulnerabilities are found in your dependencies, preventing insecure code from reaching production.
Check for common OWASP issues in your code
Check for common OWASP issues in your code
Beyond dependency scanning, review your code for the most common web application security issues from the OWASP Top 10. In Replit projects, the most relevant issues are: injection attacks (always use parameterized queries for database operations, never string concatenation), broken authentication (validate tokens server-side, not just client-side), and sensitive data exposure (use HTTPS-only, store secrets properly). These are manual checks, but knowing what to look for prevents the most common security failures.
1# WRONG — SQL injection vulnerability:2cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")34# CORRECT — parameterized query:5cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))67# WRONG — client-side only auth check:8if (localStorage.getItem('isAdmin')) { showAdminPanel(); }910# CORRECT — server-side validation:11// Validate the user's token on every API request server-sideExpected result: Your code uses parameterized queries for all database operations, validates authentication server-side, and does not expose sensitive data in client-side code.
Complete working example
1#!/bin/bash2# security_check.sh — Run all security scans for a Replit project3# Execute in Shell: bash security_check.sh45echo "=== Replit Security Scan ==="6echo ""78# Step 1: Check for hardcoded secrets9echo "[1/4] Scanning for hardcoded secrets..."10SECRET_PATTERNS='(sk-|api_key|apikey|secret_key|password|token|Bearer )'11FOUND=$(grep -rn "$SECRET_PATTERNS" . \12 --include='*.py' --include='*.js' --include='*.ts' --include='*.jsx' --include='*.tsx' \13 --exclude-dir=node_modules --exclude-dir=.git \14 -i 2>/dev/null | grep -v 'os.getenv\|process.env\|os.environ\|getenv(' || true)1516if [ -n "$FOUND" ]; then17 echo "WARNING: Possible hardcoded secrets found:"18 echo "$FOUND"19else20 echo "OK: No hardcoded secrets detected."21fi22echo ""2324# Step 2: Run npm audit (Node.js projects)25if [ -f "package.json" ]; then26 echo "[2/4] Running npm audit..."27 npm audit --audit-level=high 2>/dev/null28 if [ $? -ne 0 ]; then29 echo "WARNING: High or critical vulnerabilities found."30 else31 echo "OK: No high/critical npm vulnerabilities."32 fi33else34 echo "[2/4] Skipped — no package.json found."35fi36echo ""3738# Step 3: Run pip-audit (Python projects)39if [ -f "requirements.txt" ]; then40 echo "[3/4] Running pip-audit..."41 pip-audit 2>/dev/null42 if [ $? -ne 0 ]; then43 echo "WARNING: Python dependency vulnerabilities found."44 else45 echo "OK: No Python dependency vulnerabilities."46 fi47else48 echo "[3/4] Skipped — no requirements.txt found."49fi50echo ""5152# Step 4: Check .replit for exposed env vars53echo "[4/4] Checking .replit for inline secrets..."54if [ -f ".replit" ]; then55 INLINE_SECRETS=$(grep -n 'KEY\|SECRET\|PASSWORD\|TOKEN' .replit 2>/dev/null | grep '=' || true)56 if [ -n "$INLINE_SECRETS" ]; then57 echo "WARNING: Possible secrets in .replit file:"58 echo "$INLINE_SECRETS"59 else60 echo "OK: No inline secrets in .replit."61 fi62fi6364echo ""65echo "=== Security scan complete ==="Common mistakes when running security checks in Replit
Why it's a problem: Hardcoding API keys directly in source code instead of using Secrets
How to avoid: Move all sensitive values to Tools → Secrets and access them with os.getenv('KEY') in Python or process.env.KEY in Node.js.
Why it's a problem: Ignoring npm audit warnings because the app 'works fine'
How to avoid: Vulnerabilities in dependencies can be exploited even if your app functions correctly. Run npm audit fix to patch known issues.
Why it's a problem: Using string concatenation to build SQL queries with user input
How to avoid: Always use parameterized queries: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,)) to prevent SQL injection.
Why it's a problem: Only checking authentication on the client side (in React components)
How to avoid: Always validate tokens and permissions server-side. Client-side checks are trivially bypassed with browser developer tools.
Best practices
- Run npm audit or pip-audit before every deployment to catch newly disclosed vulnerabilities
- Store all API keys, passwords, and tokens in Tools → Secrets — never hardcode them in source files
- Use parameterized queries for all database operations to prevent SQL injection attacks
- Add --audit-level=high to your build command so only serious vulnerabilities block deployment
- Review OWASP Top 10 issues for web apps: injection, broken auth, and sensitive data exposure are the most common
- Remember that collaborators can see Secret values — limit collaborator access to trusted team members
- Keep dependencies updated regularly — outdated packages are the number one source of vulnerabilities
- Never commit .env files to Git — add .env to your .gitignore file
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I have a Node.js project on Replit. How do I run npm audit to check for dependency vulnerabilities, fix them automatically, and add the audit as a pre-deployment step in my .replit configuration?
Scan this project for security issues. Run npm audit, fix any high or critical vulnerabilities, move any hardcoded API keys to Secrets, and add an npm audit step to the deployment build command in .replit.
Frequently asked questions
No. Replit does not include a built-in vulnerability scanner as of March 2026. You need to run tools like npm audit (Node.js) or pip-audit (Python) manually in the Shell or add them to your build command.
Yes. npm audit is built into npm and runs for free. It checks your dependencies against the GitHub Advisory Database. pip-audit is also free and open source.
You can ask Agent to run npm audit fix or update vulnerable packages. Prompt: 'Run npm audit and fix all high and critical vulnerabilities. Then verify the app still works.' Agent v4 will run the commands and test the results.
Secrets are AES-256 encrypted and transmitted over TLS. Collaborators can see names and values. Cover page visitors see nothing. Remixers see names but not values. For maximum security, rotate keys regularly and limit collaborator access.
Never store secrets in source files. Use Tools → Secrets exclusively. If you accidentally committed a secret, rotate the key immediately, remove it from code, add it to Secrets, and force-push to remove it from Git history.
Hardcoded API keys in source code, outdated dependencies with known vulnerabilities, SQL injection from string concatenation in queries, and client-side-only authentication checks. All four are preventable with the practices covered in this tutorial.
Yes. Replit's Replshield can add redirects that strip CORS headers, causing unexpected behavior in production. Deploy frontend and backend on the same Repl and use HTTPS exclusively to minimize CORS issues.
Dependency scanning catches known vulnerabilities but does not cover custom code logic, authentication flows, or infrastructure configuration. For a comprehensive security review, the RapidDev engineering team can conduct a full audit covering OWASP Top 10 issues specific to your application.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation