I built VibeSafe — a 24-check security scanner for apps made with AI coding tools (Cursor, Lovable, Bolt, v0, Replit).
The idea came from a pattern I kept seeing: AI tools produce code that works, but rarely code that's secure. Hardcoded API keys, disabled Row Level Security, missing CSP headers, exposed .env files. Same issues, different apps.
Before writing a line of scanner code, I manually audited 5 real vibe-coded apps:
- 5/5 had at least one critical vulnerability
- 3/5 had exposed API keys in frontend JavaScript
- 4/5 had Row Level Security completely disabled
- 1/5 had their entire database publicly readable
Every founder was shocked. None of them knew.
The Dogfood Test
So I built the scanner — 24 checks across pre-launch source code and post-launch live URLs.
Then I ran it on my own site. The worst possible outcome:
Zero issues. Clean scan. Trust badge earned.
Not because I'm a security expert. Because I built the scanner to catch exactly what I knew AI tools get wrong — and I fixed each issue before shipping.
What the Scanner Checks (24 total)
Pre-launch (10 checks — source code):
- Exposed secrets, SQL injection, Supabase RLS, Firebase rules
- Hardcoded credentials, unprotected API routes, Stripe webhook verification
- Dependency CVE audit, DB config exposure
Post-launch (14 checks — live URL):
- SSL/TLS, security headers, exposed files, JS bundle secrets
- CORS, rate limiting, data breach check, source map exposure
- Cookie security, robots.txt analysis, subdomain discovery
- Supply chain / SBOM check, trust badge
Why I'm Posting This
I'm running a launch week. Everything is 40% off with code LAUNCH40:
| Product | Regular | Launch Price |
|---|---|---|
| Post-Launch Scan (14 URL checks) | $19 | $11 |
| Pre-Launch Audit (10 repo checks) | $39 | $23 |
| Full Bundle (all 24 checks) | $49 | $29 |
| Continuous Protection (weekly) | $39/mo | $23/mo |
One-time pricing, plain-English reports with exact fixes.
Quick check for your own codebase:
grep -r "eyJ" --include="*.js" --include="*.ts" . finds JWT tokens
grep -r "api_key\|password\|secret" --include="*.js" .finds hardcoded creds
You might be surprised what you find.
Top comments (1)
Running the scanner on your own site is the right credibility move. AI app security tools get much more useful when they show the exact finding, why it matters, and what changed after the fix.