documentation

How GreenLit works

GreenLit is a security scanner for AI-generated apps. Paste a public GitHub repo and get an instant report — the mistakes that Lovable, Bolt, v0, Replit and friends quietly ship: exposed keys, open databases, missing auth, and logic holes.

1 · The scan

  1. You paste a public github.com/owner/repo.
  2. We do a shallow, read-only clone into a temp dir — the code is never executed and is deleted right after the scan.
  3. The engine walks the files, applies the rule set, and redacts any secrets it finds before anything is stored.
  4. An AI layer double-checks the findings (dropping false positives) and reads high-risk files for logic bugs.
  5. You get a 0–100 score, a tier, and a list of findings.

2 · The GreenLit Score

Every project starts at 100. Each finding subtracts points by severity, so one critical issue outweighs a pile of minor ones:

SeverityPoints off
critical−40
high−15
medium−5
low−1

The score maps to a tier — and any critical finding caps you at Failed:

TierScore
Verified90–100
Passing75–89
At Risk50–74
Failed< 50, or any critical

3 · What we check

The rule set targets the mistakes AI coding tools emit most often:

  • Exposed secrets & API keys
  • SQL / NoSQL / command injection
  • Cross-site scripting (XSS)
  • SSRF & path traversal
  • Open redirects
  • Broken / missing authentication
  • Client-side-only access control
  • Public Supabase / Firebase rules
  • Service-role keys in the browser
  • Insecure cookies & JWT alg:none
  • Permissive CORS
  • Weak crypto (MD5/SHA1, Math.random)
  • Prototype pollution
  • Debug endpoints & error disclosure
  • Missing rate limits / timeouts
  • Unvalidated file uploads
  • GraphQL introspection
  • AI cost risks (calls in loops, no max_tokens)
  • Known CVEs in dependencies (via OSV)
  • Typosquatted packages

Rules ship for JavaScript/TypeScript plus Python, Ruby, and Go.

4 · The badge

Every scan gets a shareable report at /r/<id> and an embeddable SVG badge at /badge/<id>.svg that reflects the live tier. Drop it in your README or site:

[![GreenLit score](https://greenlit.cc/badge/<id>.svg)](https://greenlit.cc/r/<id>)

To stop badge theft, once you claim a report you can register the domain it's allowed to appear on. Embedded anywhere else, the badge turns amber and links to a verification page proving it's genuine.

5 · Safety

  • Only public github.com/owner/repo URLs are accepted.
  • Clones are shallow, single-branch, time-limited, and hooks are disabled.
  • Cloned code is read-only, never executed, and deleted after the scan.
  • Reports redact secrets; we never store your source.