How to Use the Security Scanner in GenMB: Complete Guide

What Is the Security Scanner?

GenMB's Security Scanner is a built-in analysis layer that automatically inspects every piece of generated code for common security vulnerabilities before it reaches your preview. Rather than relying on external audit tools after the fact, the scanner runs inline during the code generation pipeline, catching issues at the earliest possible moment. It checks against the OWASP Top 10 — the industry-standard list of the most critical web application security risks — and flags anything that could expose your app or its users to attack.

The scanner is available to all users on every plan. There is nothing to install, configure, or toggle. Every app you generate benefits from it automatically.

OWASP Top 10 Vulnerabilities It Detects

The Security Scanner covers the vulnerability categories that matter most for web applications built on GenMB's frontend-centric stack. Here is what it looks for and why each one matters.

Cross-Site Scripting (XSS)

XSS occurs when untrusted data is rendered as HTML or executed as JavaScript without proper sanitization. The scanner detects patterns like raw innerHTML assignments, unescaped template interpolation, and missing output encoding. When found, it rewrites the code to use safe alternatives such as textContent or framework-level escaping.

SQL Injection Detection

Even though GenMB apps typically interact with databases through client libraries like Supabase, the scanner looks for string-concatenated queries that could allow injection attacks. If you provide a prompt that results in raw query construction, the scanner flags it and converts the code to use parameterized queries instead.

Exposed Secrets and API Keys

Hardcoding API keys, tokens, or passwords directly in frontend code is one of the most common mistakes. The scanner identifies patterns that look like secrets — long alphanumeric strings assigned to variables named key, secret, token, or password — and replaces them with placeholder references or environment variable patterns.

Misconfigured Permissions

The scanner checks for overly permissive configurations such as wildcard CORS headers (Access-Control-Allow-Origin: *), unrestricted file upload types, and missing authentication guards on sensitive operations. It tightens these configurations to follow the principle of least privilege.

Insecure Authentication Patterns

Storing passwords in plain text, using weak hashing algorithms, or implementing custom authentication without proper session management all get flagged. The scanner recommends and generates code that follows established patterns like bcrypt hashing and secure cookie flags.

Insecure Communications

Any hardcoded http:// URLs for API calls or resource loading are flagged and upgraded to https://. The scanner also checks for mixed content issues where a secure page loads insecure resources.

How It Works in the Pipeline

The Security Scanner runs during the VALIDATE_AND_HEAL stage of GenMB's 8-stage code generation pipeline. Here is where it fits in context:

1. VALIDATE — Input validation and prompt sanitization
2. ANALYZE — AI analyzes the request scope
3. PREPARE — Gathers context, plugins, and capabilities
4. GENERATE — AI produces the code
5. PARSE — Extracts files from the AI response
6. VALIDATE_AND_HEAL — Security Scanner runs here, followed by Code Healer
7. ENHANCE — Plugin injection, SDK injection, PWA support
8. FINALIZE — Code storage and version creation

During the VALIDATE_AND_HEAL stage, the scanner performs a static analysis pass over every generated file. It builds a list of findings, each categorized by severity (critical, high, medium, low) and OWASP category. These findings are then fed directly into the Code Healer for automatic remediation.

Code Healer Auto-Remediation

The Code Healer receives the scanner's findings and fixes them iteratively. It uses a tool-based approach first, calling read_file and edit_file operations to surgically patch vulnerable code. If the tool-based pass cannot resolve an issue, it falls back to a full JSON-based regeneration of the affected file.

Here is a simplified example of what happens behind the scenes:

`

Scanner Finding:

File: app.js (line 42)

Severity: HIGH

Category: XSS

Issue: innerHTML used with unsanitized user input

Code Healer Fix:

• Replaced: element.innerHTML = userInput
• With: element.textContent = userInput

`

The remediation loop runs up to three iterations. If an issue persists after three attempts, it is logged and surfaced in the generation results so you can address it manually.

Example Scan Results

After generation, you can see what the scanner found and fixed. A typical scan summary looks like this:

`

Security Scan Complete

Files scanned: 8

Vulnerabilities found: 3

Auto-fixed: 3

[FIXED] XSS - innerHTML with user input (app.js:42)

[FIXED] Exposed Secret - API key in source (config.js:7)

[FIXED] Insecure URL - http:// reference (utils.js:15)

`

All three issues were detected and resolved without any manual intervention. The final code delivered to your preview is already patched.

Best Practices for Secure Apps

While the scanner handles common issues automatically, following these practices helps you build more secure applications from the start:

Write Security-Aware Prompts

Include security requirements in your prompts. For example:

"Create a login form with proper input validation, rate limiting, and secure password handling"

The more explicit you are, the less the scanner needs to fix after the fact.

Use Integrations for Auth

Rather than generating custom authentication, use the Clerk integration. It handles session management, token refresh, and secure storage correctly out of the box.

Keep Secrets Out of Prompts

Never include real API keys or passwords in your generation prompts. Use placeholder values and replace them after generation. The scanner will catch hardcoded secrets, but it is better to avoid them entirely.

Review Scanner Output

After generation, check the scan summary. Understanding what was fixed helps you learn secure coding patterns and write better prompts in future sessions.

Test with Real Data Carefully

When testing your deployed app with real user data, ensure your Supabase Row Level Security policies are configured correctly. The scanner covers frontend code but cannot audit your database permissions.

Summary

GenMB's Security Scanner provides automatic, zero-configuration security analysis for every app you generate. It detects OWASP Top 10 vulnerabilities including XSS, SQL injection, exposed secrets, misconfigured permissions, insecure auth, and insecure communications. Running during the VALIDATE_AND_HEAL pipeline stage, it works hand-in-hand with the Code Healer to fix issues before your code reaches the preview. Combined with security-aware prompting and proper use of integrations, the scanner helps ensure your generated applications meet modern security standards from the very first build.