Eight security scanners now exist for vibe-coded apps. A week ago there were three.
Lovable hit $400M ARR with 200,000 new projects daily. Google AI Studio added full-stack vibe coding with Firebase. Kaspersky says 45% of AI-generated code has vulnerabilities. Bloomberg Law just reported vibe coding is teaching law students "as much about AI limits as AI potential."
The security tooling ecosystem is responding fast. Even Lovable added built-in security scanning to version 2.0.
I tested every scanner I could find. Here's what each does, what it misses, and what actually matters.
The Contenders
| Scanner | Type | Price | Signup Required | Source Code | Live Site |
|---|---|---|---|---|---|
| VibeCheck (notelon.ai) | Web | Free | No | Yes | Yes |
| Vibe App Scanner | Web | $5-$29/mo | Yes | Yes | Yes |
| Aikido Security | Platform | Free tier + paid | Yes | Yes | No |
| VibeChecker | Chrome Ext | Free tier + paid | Install | Yes | No |
| amihackable.dev | Web | Free | No | No | Yes |
| ChakraView | CLI | Free/OSS | CLI install | Yes | No |
| vibecodesecure.com | Web | Unknown | No | No | Yes |
| Lovable 2.0 Built-in | Built-in | Included | No | Yes | No |
What Each Scanner Actually Does
Vibe App Scanner ($5-$29/mo)
The paid option. Built by security engineers with 15+ years experience. 150+ secret patterns. Offers tiered pricing: Starter ($5) for quick scans, Launch ($14) for deep analysis, Pro ($29/mo) for ongoing monitoring. Has real user testimonials and cites academic security research (SusVibes, Tenzai, Escape.tech).
Strengths: Deep analysis, professional-grade, ongoing monitoring at pro tier, AI-ready fix instructions.
Weaknesses: Costs money. Requires signup. Not ideal for a quick "am I obviously broken?" check.
Best for: Teams with real users who need thorough, professional scanning.
VibeCheck (notelon.ai) — Free
Full disclosure: I built this one. Two-in-one scanner: GitHub repos (public + private via OAuth) AND deployed URLs from a single web interface. No signup, no CLI, no credit card. Each finding includes a copy-paste prompt for your AI coding tool.
Strengths: Both source + live site in one tool. Firebase and Supabase-specific checks. Shareable badges for READMEs. Zero friction.
Weaknesses: Static analysis only (doesn't execute code). Newer tool. Fewer secret patterns than Vibe App Scanner.
Best for: Solo founders who want a complete picture without friction or cost.
Aikido Security
Full application security platform. SAST, DAST, SCA, and secrets scanning. Published a solid vibe coder security checklist. More enterprise-oriented but has a free tier.
Strengths: Most comprehensive scanning. Covers code, dependencies, containers, and cloud. Free tier available.
Weaknesses: Overkill for most vibe coders. Setup complexity. No live site URL scanning.
Best for: Developers who want a full AppSec platform, not just vibe coding checks.
Lovable 2.0 Built-in Scanner
The platform play. Lovable now runs 4 automated security scanners before publish: RLS analysis, database schema checks, code vulnerability review, dependency audits. Triggered only when relevant changes occur.
Strengths: Zero friction for Lovable users. Catches RLS issues (the #1 Lovable vulnerability). Automated on every deploy.
Weaknesses: Only works for Lovable apps. Limited to what Lovable considers important. Independent researchers noted it "only checked for existence" of security features, not proper implementation.
Best for: Lovable users who want basic checks without leaving the platform. Use an external tool as a second opinion.
VibeChecker (Chrome Extension)
Inline security checks inside your browser while you code. Watches what your AI generates and flags issues in real-time. Local-only, code never leaves your laptop.
Strengths: Catches issues during generation, not after. Chrome extension, familiar UX.
Weaknesses: Chrome-only. Doesn't scan deployed sites. Requires extension installation.
Best for: Developers using web-based AI editors (Lovable, Bolt, Replit).
amihackable.dev
URL-only scanner. Paste your deployed URL, get security header and configuration checks.
Strengths: Simple. No signup. Checks production environment.
Weaknesses: No source code analysis. Misses hardcoded secrets, SQL injection, missing auth logic.
Best for: Quick sanity check on deployed sites.
ChakraView (CLI)
Open-source command-line tool. Deep code analysis for developers comfortable with terminal.
Strengths: Deep analysis. Open source. Runs locally.
Weaknesses: Requires CLI installation. Non-technical vibe coders won't touch a terminal.
Best for: Developers who live in the terminal.
vibecodesecure.com
Early stage. Basic website security scanning. Appears to be just launched with minimal features.
Best for: Basic checks. Watch this space.
The Real Takeaway
No single scanner catches everything. The vibe coding security problem has three layers:
- Code-level: Hardcoded secrets, missing auth, SQL injection, RLS misconfig
- Config-level: Missing security headers, exposed .env files, open CORS
- Runtime: Actual exploitability, session handling, auth bypass
Most scanners cover one or two layers. The best approach: run a source code scanner AND a live site scanner. They find different things.
If you're building with Cursor, Lovable, Bolt, or Google AI Studio and shipping to real users: scan before you ship. The 5 minutes it takes could save you from being the next "AI-built app leaks user data" headline.
For a full feature-by-feature comparison table, see notelon.ai/tools/vibecheck/compare.
Disclosure: I built VibeCheck (notelon.ai). I included it because leaving it out would be dishonest. I also gave honest credit to competitors where they're stronger. Try multiple tools and decide for yourself.
Top comments (0)