I Scanned 9 Popular AI Coding Tools for Security Issues. Here's What Every Developer Should Know.

John Ferguson — Mon, 13 Oct 2025 11:36:34 +0000

I Scanned 9 Popular AI Coding Tools for Security Issues. Here's What Every Developer Should Know.

TL;DR: I built a security scanner and scanned 9 popular AI tools (including Google's Gemini CLI) - found 435 security issues. 89% had critical vulnerabilities. Average score: 16/100 (F). But here's the thing - most of these take like 30 seconds to fix once you know they're there.

The Problem We All Face

Look, I love AI coding tools. ChatGPT writes my boilerplate. Claude refactors my mess. Copilot autocompletes before I finish thinking.

I ship features faster than ever.

But I had this nagging question nobody wants to ask:

How many security vulnerabilities am I shipping?

Traditional security tools? They interrupt your flow:

❌ Run them in CI/CD only (by the time you see issues, you've moved on)
❌ Require a security PhD to understand
❌ Generate massive reports you'll never read
❌ Break your momentum

I wanted something different. Security scanning that's as fast as linting.

What I Built

So I built VibeSec - a security scanner that actually fits into how I code. Terminal-based, explains things in normal English, gives you copy-paste fixes.

Think of it as ESLint, but for security.

# As simple as this
vibesec scan .

# Get your security score in seconds
📊 Security Score: 48/100 (D-)
🔴 1 critical issue found
🟡 2 high severity issues

Then I thought - let me actually test this on real projects. Not toy examples. Real tools people use.

How the Scoring Works

Quick note on scoring before we get into results - it's intentionally simple:

Security Score (0-100)

Every project starts at 100 points (perfect security). Issues deduct points based on severity:

Severity	Point Deduction	What It Means
CRITICAL	-25 points	Immediate exploitation risk (RCE, data breach)
HIGH	-10 points	Serious vulnerability (authentication bypass, XSS)
MEDIUM	-5 points	Should be fixed soon (missing headers, weak config)
LOW	-2 points	Best practice violation (information disclosure)

Example Calculation:

Project with:
- 2 critical issues (2 × -25 = -50 points)
- 3 high issues (3 × -10 = -30 points)
- 1 medium issue (1 × -5 = -5 points)

Score: 100 - 50 - 30 - 5 = 15/100 (F)

Grade Scale

90-100 (A+): Production-ready, excellent security
80-89  (B+): Good, minor improvements needed
70-79  (C+): Acceptable, some gaps to address
60-69  (D):  Concerning, needs security review
0-59   (F):  Critical issues, do not deploy

Important: Scores can go negative, but we floor them at 0/100. If you see 0/100, there are serious issues that need fixing.

Why This Matters

Focus on critical stuff first
Track progress as you fix things
Set standards (like "nothing below 80 gets merged")
See improvements over time

Okay, now the interesting part - what did I actually find?

The Projects I Scanned

Major AI Coding Tools

Google Gemini CLI (78K stars) - TypeScript
OpenCode (26K stars) - TypeScript
Claude-code (37K stars) - TypeScript

AI-Generated/Assisted Projects

Plandex AI - Go/TypeScript AI assistant
Chatbot UI - Next.js AI chat interface
Elia - Python ChatGPT terminal client
BuilderBot - JavaScript WhatsApp bot framework
CodePrism - JavaScript code visualization
Autodoc - TypeScript documentation generator

All real, actively-maintained projects with thousands of stars and actual users.

The Results (Yikes)

Overall Stats

Metric	Result
Average Security Score	16/100 (F)
Projects with Critical Issues	89% (8/9)
Perfect Scores	11% (1/9)
Total Issues Found	435
Most Common Issue	Missing Security Headers (29%)

Score Distribution

100/100 (A+): ███ 11% (1 project)
 48/100 (D-): ███ 11% (1 project)
  0/100 (F) : ███████████████████████ 78% (7 projects)

Complete Project Scores

Project	Score	Grade	Critical	High	Medium	Low	Total	Files Scanned
Autodoc	100/100	A+ ✨	0	0	0	0	0	20
Plandex AI	48/100	D-	1	2	1	1	5	353
Gemini CLI	0/100	F 🚨	8	33	60	36	137	894
OpenCode	0/100	F	2	2	37	7	48	322
Chatbot UI	0/100	F	5	3	10	0	18	261
Elia	0/100	F	2	11	0	0	13	12
BuilderBot	0/100	F	20	14	22	21	77	192
CodePrism	0/100	F	7	39	39	49	134	58
Claude-code	0/100	F	3	0	0	0	3	2
AVERAGE	16/100	F	5.3	11.6	18.8	12.7	48.3	235

What this means:

Only 1 project out of 9 passed (that's 11%)
8 out of 9 had critical vulnerabilities
Google's Gemini CLI? 137 issues across 894 files
Even tiny projects (2 files) had 3 critical issues
Average project: 48 exploitable security issues

Real talk: If you're using these tools or building with AI assistance, you're probably shipping vulnerabilities. I know because I was.

Real Issues Found in Real Tools

🚨 Google Gemini CLI - 137 Issues

Score: 0/100 (F)

8 Critical Issues Found, including:

Command Injection in Sandbox:

// packages/cli/src/utils/sandbox.ts
exec(`some-command ${userInput}`); // ❌ CRITICAL

Why This Matters: This is Google's official tool with 78K stars. If Google ships command injection, what's hiding in your codebase? (Spoiler: probably the same stuff)

🔴 OpenCode - 48 Issues

Score: 0/100 (F)

2 Critical Issues:

// github/index.ts - Command Injection
exec(`git ${userCommand}`); // ❌ User input in shell

// agent/agent.ts - Commented Security Check
// if (isValidInput(data)) { return data; } // ❌ Security disabled
return data; // No validation!

The Real Problem: Someone commented out the security check to "move faster." We've all done it. This is what happens when security tools slow you down - you just... disable them.

✅ Plandex AI - 5 Issues

Score: 48/100 (D-)

1 Critical Issue:

// docs/docusaurus.config.ts
apiKey: 'a811f8bcdd87a8b3fe7f22a353b968ef', // ❌ Hardcoded

Plus missing CSP headers and security hardening.

Why This Scored Better: Mostly Go with strong typing. Turns out language choice matters. (Still had issues though)

💀 BuilderBot - 77 Issues

Score: 0/100 (F)

20 Critical Issues across all OWASP Top 10 categories:

// Command Injection (5 instances)
exec(`git clone ${req.body.repo}`);

// SQL Injection (3 instances)
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// Path Traversal (4 instances)
fs.readFile(`./data/${req.params.file}`);

// Hardcoded Secrets (8 instances)
const apiKey = "sk_live_1234567890";

This is the danger zone. When you prioritize "just make it work" over "make it secure."

The Same Mistakes, Over and Over

1. Command Injection (Still!)

Found in 14 different files across projects:

// ❌ The Pattern
exec(`command ${userInput}`)
spawn(`git ${repo}`)
system(f"rm {filename}")

// ✅ The Fix (30 seconds)
const { execFile } = require('child_process');
execFile('git', ['clone', userRepo]);

2. Hardcoded Secrets (Everywhere)

Found 45 instances of hardcoded API keys:

// ❌ The Pattern
const apiKey = "sk_live_xxx";
const password = "admin123";

// ✅ The Fix (10 seconds)
const apiKey = process.env.OPENAI_API_KEY;

3. Missing Security Headers (29% of Issues)

Found in every single web application:

// ❌ The Pattern
const app = express();
app.use(cors());

// ✅ The Fix (5 seconds)
const helmet = require('helmet');
app.use(helmet()); // Adds CSP, HSTS, X-Frame-Options, etc.

How to Actually Fix This

Here's what I learned: Security checks should feel like linting, not like homework.

The Better Workflow

1. Write Code (with AI assistance)

# You're in your flow, shipping features
git add .

2. Quick Security Check (2 seconds)

vibesec scan .

3. Get Instant, Actionable Feedback

🔴 CRITICAL: Command Injection in src/api/index.js:42

📍 Location:
   40 | app.post('/clone', (req, res) => {
   41 |   const repo = req.body.repo;
→  42 |   exec(`git clone ${repo}`);
   43 | });

⚠️  Risk: User can execute arbitrary commands

✅ Fix:
const { execFile } = require('child_process');
execFile('git', ['clone', repo]);

📚 Learn more: https://owasp.org/command-injection

4. Apply the Fix (30 seconds)

// Copy-paste the working code
const { execFile } = require('child_process');
execFile('git', ['clone', repo]);

5. Re-scan & Commit

vibesec scan .

# Before fix:
📊 Security Score: 75/100 (C+)
🔴 1 critical issue (-25 points)
🟡 0 high issues

# After fix:
📊 Security Score: 100/100 (A+) ✨
✅ All critical issues resolved!
🎉 Production-ready

git commit -m "Add clone endpoint (security verified)"

Score improvement: 75 → 100 (+25 points)
Time invested: ~1 minute
Security issues prevented: Could save your company millions

Why This Approach Works

✅ Fast Feedback Loop

Scan completes in seconds
Issues shown immediately
Fix while context is fresh

✅ Plain Language

No security PhD required
Explains the actual risk
Shows working code fixes

✅ Stays Local

Runs in your terminal
No code leaves your machine
Works offline

✅ Integrates Everywhere

# Pre-commit hook
vibesec scan --staged

# CI/CD
vibesec scan . --fail-on critical

# IDE
vibesec watch .

# Pre-push
vibesec scan --diff main

The Security Debt Crisis

What We Found Across All 9 Projects

Severity	Count	% of Total	Impact
Critical	52	12%	Immediate exploitation risk
High	73	17%	Serious security concerns
Medium	165	38%	Should be fixed soon
Low	145	33%	Best practice violations
TOTAL	435	100%	—

Top 5 Issue Categories

Category	Count	Quick Fix?
1. Missing Security Headers	126	✅ Yes (5 sec)
2. Injection Vulnerabilities	84	✅ Yes (30 sec)
3. Hardcoded Secrets	45	✅ Yes (10 sec)
4. CSRF/CORS Issues	38	✅ Yes (1 min)
5. Weak Cryptography	27	⚠️ Moderate (5 min)

The good news? Most issues have 10-30 second fixes. You don't need a security team - you just need to know they're there.

Real Developer Workflows

Workflow 1: Pre-Commit Check

# .git/hooks/pre-commit
#!/bin/sh
vibesec scan --staged --fail-on critical

# Prevents commits with critical issues
# Takes 2-3 seconds
# Catches issues before they reach main

Workflow 2: PR Review

# In your CI/CD
- name: Security Scan
  run: |
    vibesec scan . --output json > report.json
    vibesec scan . --diff ${{ github.base_ref }}

# Shows exactly what new issues were introduced
# Comments on PR automatically

Workflow 3: Development Watch Mode

# While you code
vibesec watch .

# Auto-scans on file save
# Shows issues in real-time
# Like nodemon, but for security

Workflow 4: Quick Spot Check

# Before pushing
vibesec scan src/

# 2-second sanity check
# Catches obvious issues
# Prevents embarrassment

Why AI Code Needs This More

The AI Code Security Problem

AI assistants are amazing at functionality, but they:

❌ Don't prioritize security by default
❌ Use patterns from Stack Overflow (circa 2015)
❌ Copy code without understanding context
❌ Ship what works, not what's secure

The Data Proves It

From our scans:

89% of AI-assisted projects had critical vulnerabilities
Average score: 16/100 (would fail any security audit)
Most common issue: Patterns that "work" but aren't secure

But Here's the Thing...

AI code isn't inherently less secure. It's just faster to write, which means:

More code shipped = more potential issues
Less time for security review
Security becomes an afterthought

Solution: Make security checks as fast as the code generation.

How VibeSec is Different

You might be thinking: "We already have SonarQube/Snyk/GitHub Security. Why do we need another security tool?"

Fair question. Here's the honest answer:

The Problem with Traditional Security Tools

Look, SonarQube and Snyk are excellent at what they do. Enterprise-grade, comprehensive analysis. But they weren't built for how we actually code with AI:

❌ They're too slow

SonarQube: 5-15 minute scans (plus you need to set up a server)
Snyk: 3-10 minutes (uploads your code to the cloud)
GitHub Security: CI/CD only (so you find out after you've already moved on)
VibeSec: 2 seconds, runs locally

❌ They break your flow

Write code → commit → push → wait 10 minutes → check dashboard in browser → try to remember what you were doing → fix → repeat
VibeSec: Scan right there in your terminal while you still remember what you wrote

❌ They speak security-ese

"CWE-78: Improper Neutralization of Special Elements used in an OS Command"
Me: googles what that means
VibeSec: "Attackers can run any command. Here's the fix: [3 lines of code]"

❌ They're not built for AI code

Generic rules that miss AI-specific patterns
Don't catch the copy-paste mistakes AI tools make
VibeSec: Built specifically for catching AI-generated vulnerabilities

The Shift-Left Approach

Think of security tools as layers of defense:

VibeSec (Dev)     →  SonarQube (CI/CD)  →  Snyk (Production)
    ↓                       ↓                      ↓
2 seconds            5-15 minutes           Continuous
While coding         After commit           After deploy
Catch 80%           Catch remaining 15%     Monitor 5%

VibeSec isn't a replacement - it's a complement.

Real Workflow Comparison

Let's say Copilot just helped you write a file upload endpoint:

Traditional Workflow (SonarQube/Snyk)

# 1. Write code with AI
[GitHub Copilot suggests upload code]

# 2. Commit and push
git add . && git commit -m "Add upload" && git push

# 3. Wait for CI/CD (5-15 minutes)
[Go get coffee ☕]

# 4. Check dashboard
[Login to SonarQube dashboard]
[Where's my project again?]
[Click through 3 pages to find the report]

# 5. Read finding
"CWE-22: Improper Limitation of Pathname"
[Wait, what does that mean?]
[Google CWE-22]
[Read OWASP docs]
[Try to understand the fix]

# 6. Go back to code (what was I doing?)
[Open the file again]
[Re-read the code I wrote 20 minutes ago]
[Try to remember the context]
[Apply fix]

# 7. Repeat cycle
git add . && git commit -m "Fix security issue" && git push
[Wait another 5-15 minutes]

Total time: 20-40 minutes + you've completely lost your flow

VibeSec Workflow

# 1. Write code with AI
[Copilot suggests upload code]

# 2. Quick scan (literally 2 seconds)
vibesec scan .

# 3. Instant feedback
🔴 CRITICAL: Path Traversal in src/upload.js:12

📍 Location:
   10 | app.post('/upload', (req, res) => {
   11 |   const filename = req.body.name;
→  12 |   fs.writeFile(`./uploads/${filename}`, data);
   13 | });

⚠️  Risk: Attackers can write to any directory
    Example: filename="../../../etc/passwd"

✅ Fix:
const path = require('path');
const safeName = path.basename(filename);
fs.writeFile(`./uploads/${safeName}`, data);

# 4. Copy-paste fix (10 seconds)
[Apply the fix]

# 5. Re-scan (2 seconds)
vibesec scan .
✅ All issues resolved! Score: 100/100

# 6. Commit secure code
git add . && git commit -m "Add secure upload"

Total time: 30 seconds + you're still in the zone

Feature Comparison

Feature	VibeSec	SonarQube	Snyk	GitHub Security
Scan Speed	2 seconds	5-15 minutes	3-10 minutes	CI/CD only
Where it runs	Local terminal	Server/Cloud	Cloud	GitHub Cloud
Setup required	`npm install -g`	Docker + config	Account + integration	Enable in repo settings
Privacy	Code never leaves machine	Uploaded to server	Uploaded to cloud	Uploaded to GitHub
Output format	Plain English + fixes	Technical (CWE/CVE)	Technical + guidance	Technical
Fix suggestions	Copy-paste ready code	Links to docs	General guidance	Links to docs
Workflow integration	Pre-commit, watch mode	CI/CD only	CI/CD + IDE plugin	CI/CD only
AI code patterns	✅ Specialized	❌ Generic	❌ Generic	❌ Generic
Dependency scanning	❌ (code only)	✅	✅✅ (best)	✅
License compliance	❌	✅	✅	✅
Custom rules	✅ YAML-based	✅ Complex	⚠️ Limited	❌
Team management	❌ (local tool)	✅✅ Enterprise	✅	✅
Historical tracking	❌ (per-scan)	✅✅	✅	✅
Price	Free (open source)	$$$$ (enterprise)	$$ (per developer)	$$$ (per seat)

When to Use What

Use VibeSec when:

✅ Coding with AI assistance (Copilot, Claude, ChatGPT)
✅ You want instant feedback (during development)
✅ You need plain language explanations
✅ You're working on a personal/startup project
✅ Privacy matters (code must stay local)
✅ You want to catch issues before committing

Use SonarQube when:

✅ You need enterprise-grade reporting
✅ You want team dashboards and metrics
✅ You need historical trend analysis
✅ Compliance requires audit trails
✅ You have a large monorepo (1M+ lines)

Use Snyk when:

✅ Dependency vulnerabilities are your main concern
✅ You need container/IaC scanning
✅ You want automated dependency PRs
✅ License compliance is critical

Use GitHub Advanced Security when:

✅ You're all-in on GitHub
✅ You want CodeQL for deep analysis
✅ Secret scanning is priority
✅ You need compliance reports

The Ideal Stack

Best practice: Use VibeSec + one other tool

┌─────────────────────────────────────┐
│   Development (You write code)      │
│   → VibeSec (2 seconds)             │  ← Shift left!
│   → Fix issues before commit        │
└─────────────────────────────────────┘
              ↓
┌─────────────────────────────────────┐
│   CI/CD (After commit)              │
│   → SonarQube/Snyk/GitHub Security  │  ← Catch what's left
│   → Block merge if critical         │
└─────────────────────────────────────┘
              ↓
┌─────────────────────────────────────┐
│   Production (Deployed)             │
│   → Snyk/GitHub (monitoring)        │  ← Runtime protection
│   → Alert on new CVEs               │
└─────────────────────────────────────┘

Result:

80% of issues caught in development (VibeSec - 2 seconds)
15% caught in CI/CD (SonarQube - 5 minutes)
5% caught in production (Snyk - monitoring)

Catch issues earlier = cheaper to fix + faster development

Why Speed Actually Matters

Security tools only work if you actually use them.

Real developer behavior (be honest):

✅ Will run: 2-second tool every commit
⚠️ Might run: 5-minute tool before pushing
❌ Won't run: 15-minute tool manually
❌ Will ignore: Findings that show up 30 minutes later

Real talk: If the feedback loop is too slow, you skip it. Or you ignore it when the results finally show up (and you're already working on something else).

VibeSec is designed to be faster than running your tests - so fast you don't even think about it.

Real User Quote

"SonarQube is for code review. Snyk is for dependencies. VibeSec is for right now while I'm coding. Completely different use cases."

— Developer who uses all three

The One Project That Actually Passed

Autodoc - TypeScript documentation generator

Why it scored 100/100:

No hardcoded secrets
Proper input validation
Safe file operations
Environment variables used correctly
No dangerous patterns (eval, exec, etc.)

What I learned from this:

Security isn't rocket science
It's just consistent habits
Automated checks catch what you miss at 2am

How to Get Started

Step 1: Install VibeSec

npm install -g vibesec
# or
bun install -g vibesec

Step 2: Scan Your Project

cd your-project
vibesec scan .

Step 3: Fix Critical Issues First

# Focus on what matters
vibesec scan . --severity critical

# Get detailed fixes
vibesec scan . --explain

Step 4: Add to Your Workflow

# Pre-commit hook
vibesec install-hooks

# Watch mode while developing
vibesec watch .

# CI/CD integration
vibesec scan . --fail-on high --output json

What VibeSec Checks For

93 Security Rules across 16 categories:

Critical Issues

✅ Command Injection (exec, spawn, system)
✅ SQL Injection (string concatenation)
✅ Path Traversal (user input in file paths)
✅ Hardcoded Secrets (API keys, passwords)
✅ Insecure Deserialization (pickle, unserialize)

High Severity

✅ XSS Vulnerabilities (innerHTML, eval)
✅ CSRF Protection (missing tokens)
✅ SSRF (server-side requests)
✅ Weak Cryptography (MD5, SHA1, weak keys)
✅ Authentication Issues (weak passwords, no rate limiting)

Best Practices

✅ Security Headers (CSP, HSTS, X-Frame-Options)
✅ CORS Configuration
✅ Prototype Pollution (JavaScript)
✅ Input Validation
✅ Error Handling

Languages Supported: JavaScript, TypeScript, Python, PHP, Java, Go

The Bigger Picture

Security Should Feel Like Linting

Remember when we didn't have ESLint? Code quality was subjective. Style was inconsistent. Bugs slipped through.

Then ESLint made quality automatic and fast:

⚡ Instant feedback
🎯 Clear rules
🔧 Auto-fix suggestions
📈 Measurable improvement

That's what security scanning should be.

The Cost of Waiting

According to IBM Security, the average cost of a data breach in 2024:

$4.45 million per breach
$165 per compromised record
277 days average time to identify and contain

Compare that to:

2 seconds to run a security scan
30 seconds to fix a command injection
$0 cost to prevent the breach

The Reality

Every project we scanned was:

✅ Functional and working
✅ Passing all tests
✅ Used by thousands of users
❌ Shipping security vulnerabilities

Functionality isn't enough.

Key Takeaways for Developers

1. Fast Tools Win

Security that interrupts flow doesn't get used. Make it faster than your test suite.

2. Plain Language Wins

"CWE-78" means nothing. "Attackers can execute any command" is clear. Explain like I'm coding at 2am.

3. Fixes Win Over Findings

Don't just point out issues. Show the working code fix. Copy-paste ready.

4. Local First Wins

Code never leaves your machine. No security review needed to use the tool. Privacy matters.

5. AI Code Needs More Scrutiny

It's not that AI code is less secure - it's that we generate it faster. More code = more surface area. Scan accordingly.

The Challenge

Okay, here's my challenge:

Scan your current project. Right now. I'll wait.

Not "I'll do it tomorrow." Not "next sprint." Now.

I bet you'll find:

At least one hardcoded API key you forgot about
Missing security headers
A SQL injection vulnerability somewhere
Command injection you copy-pasted from Stack Overflow

And I bet you can fix them all in under 10 minutes.

Try me.

Try It Yourself

# Install
npm install -g vibesec

# Scan
cd your-project
vibesec scan .

# Get your score
# Fix the issues
# Scan again
# Ship secure code

GitHub: github.com/ferg-cod3s/vibesec

What's Next

I'm working on:

IDE plugins (VSCode, Cursor, Neovim)
Real-time scanning (as you type)
AI-powered fix suggestions (not just templates)
Custom rule creation (for your team's patterns)
Compliance reports (SOC2, HIPAA, etc.)

Want early access? Drop a comment or star the repo.

Frequently Asked Questions

"Why do some projects score 0/100 instead of negative?"

Scores are floored at 0/100 to keep the scale simple. When you see 0/100, it means the project has accumulated so many issues that it's effectively "maxed out" the deduction scale. Focus on fixing critical issues first.

"Are these false positives?"

Some might be context-dependent (e.g., CSP headers on CLI tools), but the critical issues (command injection, hardcoded secrets, SQL injection) are real vulnerabilities. The tool flags patterns that could be exploited - manual review is recommended for your specific context.

"Can I customize the scoring?"

Yes! You can:

Adjust severity weights in config
Disable rules that don't apply to your project type
Create custom rules for your team's standards
Set different thresholds for different environments

"How does this compare to other tools?"

Short answer: VibeSec is designed for development workflow, not CI/CD or production monitoring.

Use Case	Best Tool
While coding (instant feedback)	VibeSec ⚡
CI/CD (comprehensive analysis)	SonarQube, Snyk
Dependencies (CVE monitoring)	Snyk, GitHub Security
Production (runtime monitoring)	Snyk, AppSec tools

Detailed comparison: See the How VibeSec is Different section above for workflow examples, feature matrices, and when to use each tool.

TL;DR: VibeSec complements enterprise tools by catching issues during development (shift-left security). Use VibeSec for fast feedback, then use SonarQube/Snyk/GitHub Security for comprehensive CI/CD analysis.

"What about Go/Rust/other languages?"

Currently supports: JavaScript, TypeScript, Python, PHP, Java, Go

Coming soon: Rust, Ruby, C#, Swift

Language support is actively expanding based on community feedback.

Final Thoughts

Security doesn't have to kill your productivity. Finding issues before production is way faster than dealing with breaches after.

I scanned 9 popular projects. Found 435 security issues. Most took 10-30 seconds to fix. None required a PhD.

The real question isn't "Can we afford to add security to our workflow?"

It's "Can we afford to keep shipping vulnerabilities?"

Because eventually, one of them is gonna bite you.

Discussion

What's your workflow for catching security issues? Scan before commits? Rely on CI/CD? Just ship it and hope?

Let me know in the comments. I'm genuinely curious.

And if this was useful:

⭐ Star VibeSec on GitHub
🔗 Share with your team
💬 Follow for more posts about security + AI code

About VibeSec

VibeSec is an open-source security scanner designed for developers who code with AI assistance. It runs in your terminal, speaks plain language, and fits your workflow.

Features:

93 security rules (OWASP Top 10 coverage)
JavaScript, TypeScript, Python, PHP, Java, Go support
Plain language explanations
Working code fixes
Fast (scans 1000+ files in seconds)
Local-first (your code never leaves your machine)

Connect:

GitHub: @ferg-cod3s
Twitter: @f3rg_codes
Website: vibesec.dev (coming soon)

All projects scanned are open-source and publicly available. Issues have been responsibly disclosed to project maintainers.

security #ai #javascript #typescript #devtools #opensource #workflow #devsecops

DEV Community: John Ferguson

I Scanned 9 Popular AI Coding Tools for Security Issues. Here's What Every Developer Should Know.

I Scanned 9 Popular AI Coding Tools for Security Issues. Here's What Every Developer Should Know.

The Problem We All Face

What I Built

How the Scoring Works

Security Score (0-100)

Grade Scale

Why This Matters

The Projects I Scanned

Major AI Coding Tools

AI-Generated/Assisted Projects

The Results (Yikes)

Overall Stats

Score Distribution

Complete Project Scores

Real Issues Found in Real Tools

🚨 Google Gemini CLI - 137 Issues

🔴 OpenCode - 48 Issues

✅ Plandex AI - 5 Issues

💀 BuilderBot - 77 Issues

The Same Mistakes, Over and Over

1. Command Injection (Still!)

2. Hardcoded Secrets (Everywhere)

3. Missing Security Headers (29% of Issues)

How to Actually Fix This

The Better Workflow

Why This Approach Works

✅ Fast Feedback Loop

✅ Plain Language

✅ Stays Local

✅ Integrates Everywhere

The Security Debt Crisis

What We Found Across All 9 Projects

Top 5 Issue Categories

Real Developer Workflows

Workflow 1: Pre-Commit Check

Workflow 2: PR Review

Workflow 3: Development Watch Mode

Workflow 4: Quick Spot Check

Why AI Code Needs This More

The AI Code Security Problem

The Data Proves It

But Here's the Thing...

How VibeSec is Different

The Problem with Traditional Security Tools

The Shift-Left Approach

Real Workflow Comparison

Traditional Workflow (SonarQube/Snyk)

VibeSec Workflow

Feature Comparison

When to Use What

The Ideal Stack

Why Speed Actually Matters

Real User Quote

The One Project That Actually Passed

How to Get Started

Step 1: Install VibeSec

Step 2: Scan Your Project

Step 3: Fix Critical Issues First

Step 4: Add to Your Workflow

What VibeSec Checks For

Critical Issues

High Severity

Best Practices

The Bigger Picture

Security Should Feel Like Linting

The Cost of Waiting

The Reality

Key Takeaways for Developers

1. Fast Tools Win

2. Plain Language Wins

3. Fixes Win Over Findings

4. Local First Wins

5. AI Code Needs More Scrutiny

The Challenge

Try It Yourself

What's Next

Frequently Asked Questions

"Why do some projects score 0/100 instead of negative?"