DEV Community

Cover image for I Built a Security Scanner for AI Apps — Then I Ran It on My Own Site
kg8888
kg8888

Posted on

I Built a Security Scanner for AI Apps — Then I Ran It on My Own Site

I built VibeSafe — a 24-check security scanner for apps made with AI coding tools (Cursor, Lovable, Bolt, v0, Replit).

The idea came from a pattern I kept seeing: AI tools produce code that works, but rarely code that's secure. Hardcoded API keys, disabled Row Level Security, missing CSP headers, exposed .env files. Same issues, different apps.

Before writing a line of scanner code, I manually audited 5 real vibe-coded apps:

  • 5/5 had at least one critical vulnerability
  • 3/5 had exposed API keys in frontend JavaScript
  • 4/5 had Row Level Security completely disabled
  • 1/5 had their entire database publicly readable

Every founder was shocked. None of them knew.

The Dogfood Test

So I built the scanner — 24 checks across pre-launch source code and post-launch live URLs.

Then I ran it on my own site. The worst possible outcome:

Zero issues. Clean scan. Trust badge earned.

Not because I'm a security expert. Because I built the scanner to catch exactly what I knew AI tools get wrong — and I fixed each issue before shipping.

What the Scanner Checks (24 total)

Pre-launch (10 checks — source code):

  • Exposed secrets, SQL injection, Supabase RLS, Firebase rules
  • Hardcoded credentials, unprotected API routes, Stripe webhook verification
  • Dependency CVE audit, DB config exposure

Post-launch (14 checks — live URL):

  • SSL/TLS, security headers, exposed files, JS bundle secrets
  • CORS, rate limiting, data breach check, source map exposure
  • Cookie security, robots.txt analysis, subdomain discovery
  • Supply chain / SBOM check, trust badge

Why I'm Posting This

I'm running a launch week. Everything is 40% off with code LAUNCH40:

Product Regular Launch Price
Post-Launch Scan (14 URL checks) $19 $11
Pre-Launch Audit (10 repo checks) $39 $23
Full Bundle (all 24 checks) $49 $29
Continuous Protection (weekly) $39/mo $23/mo

One-time pricing, plain-English reports with exact fixes.

vibesafe.store


Quick check for your own codebase:

grep -r "eyJ" --include="*.js" --include="*.ts" .     finds JWT tokens
grep -r "api_key\|password\|secret" --include="*.js" .finds hardcoded creds
Enter fullscreen mode Exit fullscreen mode

You might be surprised what you find.

Top comments (1)

Collapse
 
alexshev profile image
Alex Shev

Running the scanner on your own site is the right credibility move. AI app security tools get much more useful when they show the exact finding, why it matters, and what changed after the fix.