feat: add Lovable AI app builder provider

[toniblyx]

Context

Lovable apps (AI-generated web apps) ship with a well-known set of security pitfalls — missing Supabase RLS, secrets bundled into the frontend, missing auth on Edge Functions, missing security headers — most of which are documented in the official Lovable security best practices and reinforced by independent reviews like meetcyber.net's 2026 Lovable best practices.

This PR adds first-class support for Lovable across the SDK, API, and UI so Prowler users can assess their published Lovable workspaces with the same tooling they already use for AWS, Azure, and the rest. CIS does not publish a Lovable benchmark, so the PR includes a Prowler ThreatScore for Lovable framework instead.

Description

SDK / CLI (prowler lovable …)

• New lovable provider modelled on the Vercel pattern: API-token auth, optional Supabase Management token for deeper RLS / Edge-Function checks, optional --project and --published-app-url scope filters
• Two services:
  • apps — Lovable Cloud project metadata (visibility, auth posture, Supabase backing)
  • published — live HTTP fetch of the published app for security-header and frontend-secret-scan checks
• 12 checks mapped 1-to-1 to the Lovable security best practices: workspace visibility, pre-publication review, CAPTCHA, password policy, auth rate limit, Supabase RLS, Edge-Function auth, storage privacy, HTTPS, security headers, strict CSP, no secrets in frontend bundle
• New CheckReportLovable, factory dispatch, parser banner, and outputs wiring
• Sensitive flags (--lovable-api-token, --supabase-access-token) registered in SENSITIVE_ARGUMENTS for redaction; environment variables (LOVABLE_API_TOKEN, LOVABLE_WORKSPACE_ID, SUPABASE_ACCESS_TOKEN) are the recommended path

Compliance

• Prowler ThreatScore for Lovable framework (prowler/compliance/lovable/prowler_threatscore_lovable.json) with 12 requirements across Identity & Access Management, Attack Surface, and Secrets Management pillars

API

• Provider.ProviderChoices.LOVABLE, validate_lovable_uid validator, LovableProviderSecret (required api_token plus optional supabase_access_token), connection-test wiring, migration 0091_lovable_provider, and a Lovable API Token entry in the provider-secret OpenAPI schema

UI

• Provider radio choice + brand badge, dedicated LovableCredentialsForm, workspace UID input, credential field constants, secret builder, default-values hook, findings/overview integration, Lovable docs link in the provider help panel

Steps to review

# 1. List the new provider's checks, services, and compliance
poetry run python -m prowler lovable --list-checks       # → 12 checks
poetry run python -m prowler lovable --list-services     # → apps, published
poetry run python -m prowler lovable --list-compliance   # → prowler_threatscore_lovable

# 2. Run the new SDK tests
poetry run pytest tests/providers/lovable/ -q            # → 14 passed

# 3. UI typecheck (clean for Lovable code)
cd ui && pnpm install --frozen-lockfile && pnpm run typecheck

The provider registers under existing factories without touching unrelated providers; reviewers can scan the per-component changelog entries (prowler/CHANGELOG.md, api/CHANGELOG.md, ui/CHANGELOG.md) for a quick summary.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? Yes — 12 new checks under the new lovable provider.
  • Provider permissions: the Lovable Cloud API token only requires read access to the workspace and projects; the optional Supabase Management token requires read access to organizations, projects, RLS metadata, Edge Functions, and storage buckets. No write permissions are needed.
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes — 12 checks
  • Provider permissions: documented above.

UI (if applicable)

• All issue/task requirements work as expected on the UI
• Screenshots/Video - Mobile (X < 640px)
• Screenshots/Video - Tablet (640px > X < 1024px)
• Screenshots/Video - Desktop (X > 1024px)
• Ensure new entries are added to ui/CHANGELOG.md

API (if applicable)

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) — N/A, no new queries
• Performance test results (if applicable) — N/A
• Verify if API specs need to be regenerated. — Yes; api/src/backend/api/specs/v1.yaml should be regenerated to include lovable in the provider enum (left to the maintainer's spec-regeneration step).
• Check if version updates are required.
• Ensure new entries are added to api/CHANGELOG.md

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• apps_authentication_captcha_enabled (lovable): prowler_threatscore_lovable
• apps_authentication_rate_limit_enabled (lovable): prowler_threatscore_lovable
• apps_authentication_strong_password_policy (lovable): prowler_threatscore_lovable
• apps_pre_publication_security_review_completed (lovable): prowler_threatscore_lovable
• apps_supabase_edge_functions_authenticated (lovable): prowler_threatscore_lovable
• apps_supabase_rls_enabled_on_all_tables (lovable): prowler_threatscore_lovable
• apps_supabase_storage_buckets_not_public (lovable): prowler_threatscore_lovable
• apps_workspace_visibility_for_internal_apps (lovable): prowler_threatscore_lovable
• published_app_no_secrets_in_frontend_bundle (lovable): prowler_threatscore_lovable
• published_app_security_headers_configured (lovable): prowler_threatscore_lovable
• published_app_strict_csp_configured (lovable): prowler_threatscore_lovable
• published_app_uses_https (lovable): prowler_threatscore_lovable

Use the no-compliance-check label to skip this check.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:d6fa577
Last scan: 2026-05-08 16:20:28 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler:d6fa577
Last scan: 2026-05-08 16:27:13 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-api:d6fa577
Last scan: 2026-05-08 16:27:21 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	9
Total	9

8 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 61.53846% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.63%. Comparing base (962ebac) to head (077a4e7).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11092      +/-   ##
==========================================
- Coverage   94.52%   93.63%   -0.90%     
==========================================
  Files          47      231     +184     
  Lines        1315    33964   +32649     
==========================================
+ Hits         1243    31801   +30558     
- Misses         72     2163    +2091     

Flag	Coverage Δ
api	93.63% <61.53%> (?)
prowler-py3.10-googleworkspace	?
prowler-py3.11-googleworkspace	?
prowler-py3.12-googleworkspace	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.63% <61.53%> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.