Securing Your Lovable Application with OpsMx Delivery Shield

OpsMx Delivery Shield Sandbox allows you to run comprehensive security scans including SAST (Static Application Security Testing), SCA (Software Composition Analysis), and DAST (Dynamic Application Security Testing) on applications built using Lovable, the AI Code Generation Platform.

Join our community Slack workspace and share your issue, error, or scan result and get help from peers and experts

On-Demand SAST, SCA, and DAST Scanning

Step 1: Sync Lovable Code to GitHub

1. In the Lovable interface, click Sync to GitHub (top right corner).

1. In the Lovable interface, click Sync to GitHub (top right corner).

2. Once synced, your project will appear in your GitHub repository.

1. Once synced, your project will appear in your GitHub repository.
2. Once synced, your project will appear in your GitHub repository.

Once you have your Lovable Generated code pushed to your Github repo you will be in a position to scan the code.

OpsMx SSD Platform

Once you have gone through the initial login process, via Google, You will then be presented with the application dashboard. To start scanning projects, you simply need to click on the Scan Now button in the top right corner (see Below):

On Demand Scanning (Source Code)

Now you are in the On Demand Scanning part of the product you can choose which type of scan you would like perform, in this case lets start with a source code scan by selecting Source Scan and click the Add Project Button As Seen Below:

Project Configuration Setup

Next we will complete the form fill that will add your source code project to the scan queue, lets review each form item:

1. Give your project a name: This is going to be a name that will help you identify your project

2. Team Availability: For this simply select default as your account will only have one team

3. Select Platform From the drop down: In this case we will select GitHub

4. Select Type: Is this a User or Organization type (The repo would be public)

5. Select Account: Here simply select the default GitHub Account

6. Type in the Workspace or Organization Name: This will tell the system what Org or individual workspace to scan

7. Scan Level: Here you can choose to scan the entire Organization or Workspace, or you can scan a specific repository by making the appropriate selection

8. Select Repository or Project: If you selected Repository in the previous step, here you will be able to select which repository you will scan, if you chose Organization/Workspace this will default to All

9. Select The Branch You Would Like to Scan: Here you can Select All and we will scan all branches, or you can specify the Main branch or in the alternative you use the branch pattern option to specify a branch or a branch naming pattern

10. Branch Pattern: Here you can specify the Branch you want to scan, or specify a pattern (i.e. Production will scan all branches with Production in the name)

11. Scan Up To: This will allow you to put a limit on the number of branches scanned

12. Schedule An Auto Scan: This allows you to set re-scans on a schedule to make sure you always have the latest results as changes are made to the repo

Press the Save Button and the scan will begin

Step 2: Run SAST and SCA Scans

Configuration Setup

• Point the tool to your personal or team-level Lovable app within your workspace
• Note: For personal applications, save the Lovable application to your personal (User) level and point the tool at your Lovable application within your workspace

SAST Scan Results

Once the project is cloned, you can start with the security scan which will reveal:

Open Source Security Analysis – How secure is your code in its resting state and is it open to tampering or a source code level attack.

The SAST scan will typically show findings categorized by confidence level (e.g., low confidence findings for basic issues).

Software Composition Analysis (SCA)

The SCA scan analyzes several key areas:

Licenses Found:

• No license may be found for Lovable applications initially
• Please see the Lovable Terms of Service and consider adding a license depending on how you plan to use the application
• Consider whether your application will be public, as this may require compliance with terms of service

Secrets in Code

• Scans for plain text or hard-coded secrets in your codebase
• Ensures your code is free from exposed credentials

Software Bill of Materials (SBOM)

• Shows the OSS packages used in the project
• Displays the vulnerability profile of each package
• Analyzes open-source dependencies and licenses

Step 3: Run a DAST Scan (OPTIONAL)

After deploying your Lovable app:

1. Open the DAST section in Delivery Shield
2. Click Add Project and configure:
   • App URL (from Lovable deployment – they will generate this for you when you Publish the application)
   • Account and authentication details.

DAST Project Setup

• The service URL should come from Lovable (generated when you publish the application)

• Configure your account settings appropriately for the scanning environment

3. Run the scan and view runtime vulnerability reports

1. In the Lovable interface, click Sync to GitHub (top right corner).

Once the scan begins, you will be presented with results showing runtime vulnerabilities and affected endpoints.

How to Access the Security Posture from Scans

Join our community Slack workspace and share your issue, error, or scan result and get help from peers and experts

Main Scanning Dashboard

OpsMx Delivery Shield Overview Access your main scanning dashboard to see comprehensive metrics:

• Repo Registered
• Total Scans
• Total Branches
• Total Projects
• Auto Scan Enabled Repos

Source Scan Results Access

Project-Level Scan Results Navigate to your specific project (e.g., “webgoat-app”) to view detailed scan information:

Detailed Scan Analysis Click on any completed scan to access three main scan types:

OpenSSF Analysis

• Status: Completed | Scan Tool: OpenSSF
• Shows security framework compliance checks
• Displays various security categories with scores:
  • Binary-Artifacts: Score 5
  • Dangerous-Workflow: Score 10
  • Dependency-Update-Tool: Score -1
  • Pinned-Dependencies: Score varies
  • Token-Permissions: GitHub workflow token analysis
  • Vulnerabilities: “50 existing vulnerabilities detected”

SAST (Static Application Security Testing)

• Status: Completed | Scan Tool: Semgrep
• Displays code security findings with:
  • Rule Name: Specific security rules triggered
  • Severity: HIGH, MEDIUM, LOW classifications
  • Confidence: Risk confidence levels
  • CWE: Common Weakness Enumeration references
  • OWASP: OWASP category mappings
  • Fix: Remediation guidance

SCA (Software Composition Analysis)

• Status: Completed | Scan Tool: Trivy
• Vulnerability Summary: Displays color-coded vulnerability counts (5, 25, 13, 6, 1)
• Shows detailed component analysis:
  • Component:Library/package names (e.g., org.apache.tomcat.embed:tomcat-embed-core)
  • Version: Current version numbers
  • Package Url: Maven/package repository links
  • Vulnerability Counts: Critical, High, Medium, Low severity counts per component

Enterprise Application Security Dashboard

Application-Level Security Overview For deployed applications, access the Application Security dashboard showing:

• Total Applications: 1
• Open Security Issues: 53
• Current Deployments: 2

Risk Analysis Charts:

• Application Risk: Pie chart showing Critical Risk (1), with other risk levels
• Open Security Issues: Donut chart displaying issue distribution across pipeline stages
• Deployment Status: Shows Allowed (2) vs Blocked (0) deployments

Application Details Table:

• Application: buildme-extsandbox
• Version: v0.9
• Stage Scores: 0 (fail) and 100 (pass) indicators
• Last Deployed: Jul 24, 2025
• Cluster: oes-cluster
• Namespace: buildme-extsanc
• Open Issues: 53 with warning indicator
• DBOM Status: Critical Risk status

Multi-Project Management

Project Organization View The Source Scan interface supports multiple projects with expandable views:

• src-project1: GitHub-based project with OpsMx organization
  • Shows individual repositories (e.g., visibility-service)
  • Branch-level scan tracking with completion status
  • Last scanned timestamps and duration metrics
• spring-projects: Alternative project structure
  • Different organization structure support
  • Separate project management and tracking

The results of these comprehensive scans provide complete security posture visibility for your Lovable application across all development and deployment stages.

How to Remediate Issues Found in Scans

Once vulnerabilities are detected, OpsMx Delivery Shield provides multiple automated and AI-powered remediation options through the Remediate platform:

Join our community Slack workspace and share your issue, error, or scan result and get help from peers and experts

1.AI-Powered Automated Remediation

Initial Setup

Configure GitHub Token: Navigate to Settings and add your GitHub token to enable automated remediation

Available Remediation Agents

Agent Overview Dashboard The platform provides a comprehensive view of all active remediation agents with real-time metrics:

Code Remediation Agent

• Purpose Automated remediation for SAST/SCA findings using enhanced AutoFix workflow
• Process:
  1. Select your project and team name
  2. Choose git URL and branch
  3. Select specific code finding to remediate
  4. Click “Generate Fix” for automated code remediation

Cloud Remediation Agent (AI-Powered)

• Purpose Two-phase AI remediation with plan generation and automated execution
• Process:
  1. Select Issue: Choose a CSPM finding to remediate
  2. AI Planner: Generate intelligent remediation plan
  3. Executor: Automated execution of the remediation plan

Real-Time Monitoring Dashboard Monitor all remediation activities from a centralized dashboard showing:

• Open Risks: 10 (+2 this week)
• Critical Risks: 3 (+1 this week)
• Fixed Issues: 2 (-5 this week)
• Active Agents: 5

Manual Remediation Options

Export and External Tools

• Export scan reports (PDF/JSON) for use with:
  • GitHub Code Scanning
  • Snyk
  • GitGuardian
  • Dependabot
  • OWASP ZAP for DAST remediation

Risk Prioritization

The platform automatically categorizes findings by:

• Severity: Critical, High, Medium, Low
• Agent Type: Code, Cloud, Pipeline, Runtime, IaC
• Status: Open, In Progress, Fixed
• Detection Timeline: Real-time tracking of when issues were discovered

3. Community Help:

• Join our community Slack workspace and share your issue, error, or scan result and get help from peers and experts