<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Check My Vibe</title>
    <description>The latest articles on DEV Community by Check My Vibe (@checkmyvibe).</description>
    <link>https://dev.to/checkmyvibe</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4026553%2Fee0acf6b-b2a8-427b-bc49-6bb8937d7bac.png</url>
      <title>DEV Community: Check My Vibe</title>
      <link>https://dev.to/checkmyvibe</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/checkmyvibe"/>
    <language>en</language>
    <item>
      <title>A Practical Vibe Coding Security Checklist: What Passive Scanners Can and Cannot Prove</title>
      <dc:creator>Check My Vibe</dc:creator>
      <pubDate>Mon, 13 Jul 2026 02:24:00 +0000</pubDate>
      <link>https://dev.to/checkmyvibe/a-practical-vibe-coding-security-checklist-what-passive-scanners-can-and-cannot-prove-3hgi</link>
      <guid>https://dev.to/checkmyvibe/a-practical-vibe-coding-security-checklist-what-passive-scanners-can-and-cannot-prove-3hgi</guid>
      <description>&lt;p&gt;Vibe coding makes it possible to ship a useful web app in a weekend. It does not make the security model disappear.&lt;/p&gt;

&lt;p&gt;A generated app can compile, deploy, and look polished while still exposing a source map, shipping a credential-shaped string in a JavaScript bundle, missing basic browser security headers, or relying on authorization rules nobody has tested.&lt;/p&gt;

&lt;p&gt;The practical response is not to trust one score. It is to use the right scanner for each layer.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Disclosure:&lt;/strong&gt; I am building &lt;a href="https://checkmyvibeapp.com/" rel="noopener noreferrer"&gt;Check My Vibe&lt;/a&gt;. I include it below alongside competing tools because the useful question is not which product has the loudest claim; it is which part of the system each one can actually inspect.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What a passive URL scan can actually prove
&lt;/h2&gt;

&lt;p&gt;A passive scanner starts with the same public surface a normal visitor can reach. Without credentials or exploit attempts, it can provide useful evidence about:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;HTTPS behavior, redirects, and certificate delivery&lt;/li&gt;
&lt;li&gt;response headers such as Content-Security-Policy, HSTS, X-Content-Type-Options, and framing controls&lt;/li&gt;
&lt;li&gt;cookies visible in public responses&lt;/li&gt;
&lt;li&gt;public HTML and selected same-origin JavaScript assets&lt;/li&gt;
&lt;li&gt;publicly reachable source maps or sensitive-looking files&lt;/li&gt;
&lt;li&gt;credential-shaped strings that were shipped to the browser&lt;/li&gt;
&lt;li&gt;CORS behavior that can be observed safely&lt;/li&gt;
&lt;li&gt;technology and deployment clues exposed in responses&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That evidence is valuable because these are real deployment mistakes. If a production bundle contains a private key, or a source map is publicly available, the problem is already observable from outside.&lt;/p&gt;

&lt;p&gt;But wording matters. A passive scan reports what it observed at a particular URL and time. It does not prove the entire application is secure.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it cannot prove
&lt;/h2&gt;

&lt;p&gt;A public, unauthenticated scan normally cannot verify:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;tenant isolation after login&lt;/li&gt;
&lt;li&gt;whether user A can read or modify user B's records&lt;/li&gt;
&lt;li&gt;the correctness of Supabase RLS policies that are not exposed through public behavior&lt;/li&gt;
&lt;li&gt;server-side authorization on every API route&lt;/li&gt;
&lt;li&gt;secret handling inside a private repository or CI system&lt;/li&gt;
&lt;li&gt;vulnerable dependencies that never reveal their versions publicly&lt;/li&gt;
&lt;li&gt;payment, webhook, password-reset, and invitation business logic&lt;/li&gt;
&lt;li&gt;administrative paths that require legitimate test accounts&lt;/li&gt;
&lt;li&gt;the absence of every vulnerability&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A green public-surface result should therefore mean &lt;strong&gt;no issue was observed in the tested surface&lt;/strong&gt;, not &lt;strong&gt;the app is safe in every respect&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Four tools, four different scopes
&lt;/h2&gt;

&lt;p&gt;The feature descriptions below reflect the products' public sites in July 2026. They are not a benchmark result, and the tools can change.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Primary surface&lt;/th&gt;
&lt;th&gt;Useful when&lt;/th&gt;
&lt;th&gt;Important boundary&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://scanvibe.dev/" rel="noopener noreferrer"&gt;ScanVibe&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Public URL&lt;/td&gt;
&lt;td&gt;You want a fast outside-in scan, a grade, and fix prompts. Its site lists 18 analyzers covering SSL, headers, exposed secrets, libraries, files, cookies, and CORS.&lt;/td&gt;
&lt;td&gt;Outside-in evidence cannot by itself prove private authorization, database isolation, or every server-side condition.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://ship-safe.co/" rel="noopener noreferrer"&gt;ShipSafe&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;GitHub repository and live URL&lt;/td&gt;
&lt;td&gt;You want source-aware checks plus plain-English findings. Its site currently advertises 60+ checks and says uploaded code is deleted after scanning.&lt;/td&gt;
&lt;td&gt;Repository access gives deeper visibility, but the result still depends on rule coverage, repository completeness, and runtime configuration.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://securevibe.org/" rel="noopener noreferrer"&gt;SecureVibe&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Cursor and VS Code&lt;/td&gt;
&lt;td&gt;You want file-level feedback inside the IDE before deployment, with reports and remediation prompts. Its site says it does not collect or store code.&lt;/td&gt;
&lt;td&gt;IDE analysis is strongest on code it can see; it may not observe the final CDN, proxy, DNS, header, or production configuration.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://checkmyvibeapp.com/" rel="noopener noreferrer"&gt;Check My Vibe&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Passive public web surface plus a manual checklist&lt;/td&gt;
&lt;td&gt;You want a free, no-account first pass over public deployment mistakes, followed by a separate 36-point review checklist.&lt;/td&gt;
&lt;td&gt;It does not log in, exploit the target, recursively crawl the whole site, inspect a private repo, or certify backend policy correctness.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This is not a winner-takes-all category. The products above overlap, but they sit at different points in the delivery loop: editor, repository, deployed application, and manual review.&lt;/p&gt;

&lt;h2&gt;
  
  
  A practical layered workflow
&lt;/h2&gt;

&lt;p&gt;For an AI-built app, I would use the following order.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Run a passive scan on the deployed URL
&lt;/h3&gt;

&lt;p&gt;Do this before sharing the launch publicly. Fix obvious header gaps, exposed source maps, accidentally public files, browser-shipped secrets, and unsafe redirects. Re-run after the fix.&lt;/p&gt;

&lt;p&gt;Only scan sites you own or are authorized to assess. Passive does not mean permissionless.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Scan the repository and dependency graph
&lt;/h3&gt;

&lt;p&gt;A URL scanner cannot see most server code. Use repository-aware secret scanning, dependency analysis, and static analysis. Review findings rather than pasting every generated fix blindly; automated remediation can change behavior or introduce new bugs.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Add feedback inside the editor or CI pipeline
&lt;/h3&gt;

&lt;p&gt;The cheapest issue is the one that never reaches production. IDE and CI checks can flag new secrets, unsafe patterns, and dependency changes close to the commit that introduced them.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Test authorization with real roles
&lt;/h3&gt;

&lt;p&gt;Create a small role matrix: anonymous user, normal user, second tenant, support user, and administrator. For every sensitive action, record who should be able to read, create, update, and delete.&lt;/p&gt;

&lt;p&gt;Then test the negative cases. Can user A request user B's object ID? Can a normal user call an admin API directly? Does hiding a button merely hide the action, or does the server enforce the rule?&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Review the data layer separately
&lt;/h3&gt;

&lt;p&gt;For Supabase, Firebase, or another backend-as-a-service, inspect policies in the provider console. Verify row-level rules, storage permissions, service-role key handling, backups, and logs. A public scanner should not claim to have proven private policy state it cannot access.&lt;/p&gt;

&lt;h3&gt;
  
  
  6. Exercise business logic
&lt;/h3&gt;

&lt;p&gt;Password resets, email changes, invitations, checkout sessions, refunds, webhooks, and file uploads deserve explicit abuse cases. These failures are often specific to the product and are difficult for a generic scanner to infer.&lt;/p&gt;

&lt;h3&gt;
  
  
  7. Escalate when the risk justifies it
&lt;/h3&gt;

&lt;p&gt;If the app handles money, health data, identity documents, regulated information, or meaningful volumes of personal data, automated checks are only preparation. A scoped professional review or penetration test is the appropriate deeper layer.&lt;/p&gt;

&lt;h2&gt;
  
  
  A compact pre-launch checklist
&lt;/h2&gt;

&lt;p&gt;Before launch, I want clear answers to these questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Did any secret reach client-side code or version history?&lt;/li&gt;
&lt;li&gt;Are production source maps intentionally public?&lt;/li&gt;
&lt;li&gt;Are security headers configured at the final edge, not only in local code?&lt;/li&gt;
&lt;li&gt;Does the server enforce authorization for every sensitive operation?&lt;/li&gt;
&lt;li&gt;Have cross-tenant negative tests been run?&lt;/li&gt;
&lt;li&gt;Are database and storage policies reviewed in the provider console?&lt;/li&gt;
&lt;li&gt;Are dependencies and lockfiles scanned?&lt;/li&gt;
&lt;li&gt;Are admin functions protected server-side?&lt;/li&gt;
&lt;li&gt;Are rate limits and abuse controls present on expensive or sensitive endpoints?&lt;/li&gt;
&lt;li&gt;Are logs, backups, incident contacts, and key-rotation steps documented?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can use the free &lt;a href="https://checkmyvibeapp.com/" rel="noopener noreferrer"&gt;Check My Vibe passive scanner and 36-point checklist&lt;/a&gt; as the first step. Treat the automated score and the manual checklist as separate evidence, then add repository, IDE, authorization, and business-logic testing according to the risk of the application.&lt;/p&gt;

&lt;p&gt;The responsible promise is not that a two-minute scan makes an app secure. It is that a well-scoped scan can reveal specific, fixable evidence — and tell you honestly what still has not been tested.&lt;/p&gt;

</description>
      <category>security</category>
      <category>webdev</category>
      <category>showdev</category>
      <category>ai</category>
    </item>
  </channel>
</rss>
