Built a Flask app with Cursor last week. Login, dashboard, API — took about 20 minutes. Everything worked great. Then I got curious and ran a security scanner on it. 0 out of 100. Grade F. lol
The app runs perfectly fine. It just happens to be completely exploitable if anyone bothers to look. So I scanned about 10 more open source vibe-coded projects on GitHub. 8 out of 10 had similar issues. AI picks the shortest path to "it works" and that path is almost always the least secure one.
This bugged me enough that I built a GitHub Action that scans every PR automatically. One YAML file, posts findings as PR comments with the exact line and how to fix it.
To be clear about what it can't do:
No business logic bugs — if your auth flow is broken by design, pattern matching won't catch it
Static analysis only — reads code, doesn't run your app
Doesn't catch everything — focuses on patterns AI commonly gets wrong
I'm not a security expert, which is exactly why I needed something like this. If you're vibe coding and shipping without reviewing what AI wrote, might be worth a quick scan. Results can be... humbling.
Repo: https://github.com/vibesafeio/vibesafe-action
Free, open source, no account needed.
Top comments (0)