VibeCheck
Static security audit · built for vibe-coded apps

Ship fast. Ship safe.
Prove it.

Drop a GitHub repo or PR URL. We scan for the 30 vulnerabilities that vibe-coding tools leak most — exposed keys, missing RLS, open CORS, dangerous innerHTML — and translate them into plain English with copy-paste fixes.

Start scanning →How it works
No installUnder 60 secondsTrust badge on pass
scan://acme/todo-app
3 blocking
critical
exposed-api-key
src/pages/api/chat.ts:12
const key = "sk-proj-abc123…"
critical
supabase-service-role-client
lib/supabase.ts:4
createClient(url, ADMIN_KEY)
high
permissive-cors
next.config.ts:18
Access-Control-Allow-Origin → wildcard
medium
default-credentials
seed.ts:8
password: "admin"
analysisAnthropic Claude
/ workflow

Three steps to a trust badge.

01
Paste your repo

Drop a GitHub URL. We pull files through the GitHub API — nothing to install.

02
We find what's broken

Static analysis + Anthropic Claude catch the classics vibe-coding tools leave behind.

03
Earn your badge

Zero critical/high findings? Get a public badge URL and embed it on your launch page.

/ rule set

15 rules. Tuned for the way AI tools actually write code.

These are the issues we see over and over in Lovable, Bolt, v0, and Cursor output. If you can paste a repo, you can find them before your users do.

  • 01Hardcoded API keys (OpenAI, Anthropic, Stripe, AWS)
  • 02Secrets exposed via NEXT_PUBLIC_ env vars
  • 03.env files committed to the repo
  • 04Supabase service role in client code
  • 05Firebase Admin SDK in client code
  • 06MongoDB connection strings with credentials
  • 07OAuth client secrets committed
  • 08AWS secret access keys in source
  • 09JWT signing secrets hardcoded
  • 10Permissive CORS (allow-origin wildcard)
  • 11CORS credentials with wildcard origin
  • 12dangerouslySetInnerHTML without sanitization
  • 13eval / new Function — dynamic code execution
  • 14SQL built by string concatenation
  • 15Debug / verbose mode left on
  • 16Cookies missing HttpOnly / Secure flags
  • 17Auth tokens stored in browser storage
  • 18API routes without an auth check
  • 19File uploads without size or type limits
  • 20Unvalidated redirect targets
  • 21Localhost URLs baked into source
  • 22Python yaml.load without SafeLoader
  • 23Python pickle deserialization of untrusted input
  • 24Python shell injection (os.system, shell=True)
  • 25Flask debug mode left enabled
  • 26Django DEBUG = True in settings
  • 27Django SECRET_KEY hardcoded
  • 28Missing Content-Security-Policy
  • 29Default / placeholder credentials
  • 30Sensitive endpoints fetched over HTTP

Your next launch deserves a vibe check.

Free while in beta. Sign up, paste a repo, and ship with confidence.

Get started →