How GreenLit works
GreenLit is a security scanner for AI-generated apps. Paste a public GitHub repo and get an instant report — the mistakes that Lovable, Bolt, v0, Replit and friends quietly ship: exposed keys, open databases, missing auth, and logic holes.
1 · The scan
- You paste a public
github.com/owner/repo. - We do a shallow, read-only clone into a temp dir — the code is never executed and is deleted right after the scan.
- The engine walks the files, applies the rule set, and redacts any secrets it finds before anything is stored.
- An AI layer double-checks the findings (dropping false positives) and reads high-risk files for logic bugs.
- You get a 0–100 score, a tier, and a list of findings.
2 · The GreenLit Score
Every project starts at 100. Each finding subtracts points by severity, so one critical issue outweighs a pile of minor ones:
| Severity | Points off |
|---|---|
| critical | −40 |
| high | −15 |
| medium | −5 |
| low | −1 |
The score maps to a tier — and any critical finding caps you at Failed:
| Tier | Score |
|---|---|
| Verified | 90–100 |
| Passing | 75–89 |
| At Risk | 50–74 |
| Failed | < 50, or any critical |
3 · What we check
The rule set targets the mistakes AI coding tools emit most often:
- Exposed secrets & API keys
- SQL / NoSQL / command injection
- Cross-site scripting (XSS)
- SSRF & path traversal
- Open redirects
- Broken / missing authentication
- Client-side-only access control
- Public Supabase / Firebase rules
- Service-role keys in the browser
- Insecure cookies & JWT
alg:none - Permissive CORS
- Weak crypto (MD5/SHA1,
Math.random) - Prototype pollution
- Debug endpoints & error disclosure
- Missing rate limits / timeouts
- Unvalidated file uploads
- GraphQL introspection
- AI cost risks (calls in loops, no max_tokens)
- Known CVEs in dependencies (via OSV)
- Typosquatted packages
Rules ship for JavaScript/TypeScript plus Python, Ruby, and Go.
4 · The badge
Every scan gets a shareable report at /r/<id> and an embeddable SVG badge at /badge/<id>.svg that reflects the live tier. Drop it in your README or site:
[](https://greenlit.cc/r/<id>)
To stop badge theft, once you claim a report you can register the domain it's allowed to appear on. Embedded anywhere else, the badge turns amber and links to a verification page proving it's genuine.
5 · Safety
- Only public
github.com/owner/repoURLs are accepted. - Clones are shallow, single-branch, time-limited, and hooks are disabled.
- Cloned code is read-only, never executed, and deleted after the scan.
- Reports redact secrets; we never store your source.