Free Security Scanner
VibeCheck — Is Your App Safe?
Free security scanner for apps built with Lovable, Bolt, Cursor, and AI coding tools
Want to scan private repos?
Connect with a GitHub token. Takes 30 seconds.
What We Found in Real Vibe-Coded Apps
We scanned 7 random Lovable-built projects from GitHub. 60% failed.
60%
Failed Security Scan
3/100
Lowest Score (Grade F)
5
Hardcoded API Keys Found
3
.env Files Committed
F
Voice Hub App (Lovable)
.env committed, Supabase without RLS, 7 warnings
3/100
F
Beautician Booking (Lovable)
Firebase keys hardcoded, .env committed to repo
28/100
C
Presentation App (Lovable)
.env committed, missing security headers
73/100
Source: 7 randomly selected public Lovable repos on GitHub, scanned March 2026
Supply Chain Alert: LiteLLM Compromised (Mar 25, 2026)
LiteLLM v1.82.8 on PyPI was backdoored via a compromised Trivy CI/CD pipeline. The malware harvested SSH keys, cloud credentials, and crypto wallets from 97M+ monthly downloads. Vibe-coded apps using MCP plugins pulled it as a transitive dependency.
VibeCheck scans for the patterns that made this attack possible: exposed credentials, missing security reviews, and unvetted dependencies.
Want ongoing monitoring?
Get notified when new vulnerabilities are found in your repos. Join the waitlist for Phase 2.
What is VibeCheck?
VibeCheck is a free security scanner built for vibe-coded apps. If you built your app with Lovable, Bolt, Cursor, Replit, or Google AI Studio, VibeCheck scans your GitHub repo for the security vulnerabilities that AI code generators commonly introduce.
The data is alarming. Escape.tech scanned 5,600 vibe-coded apps and found over 2,000 vulnerabilities and 400 exposed secrets. Tenzai tested 15 apps built with 5 AI coding tools and found 69 vulnerabilities including critical SSRF and injection flaws. CodeRabbit found AI co-written code introduces 2.74x more XSS vulnerabilities than human-only code. Kaspersky says 45% of AI-generated code contains vulnerabilities. 10.3% of Lovable apps had critical Row Level Security flaws. VibeCheck catches these issues before your users do.
Two Ways to Scan
VibeCheck offers both source code scanning and live site scanning in one tool. Most security scanners only do one or the other. We do both.
Source Code Scanner analyzes your GitHub repository for hardcoded secrets, exposed credentials, misconfigurations, and vulnerable patterns in your code. It catches issues before they reach production.
Live Site Scanner checks your deployed application for security headers, exposed sensitive files, CORS misconfigurations, cookie security, and technology fingerprints. It finds issues in your production environment that source code analysis might miss.
What does it check?
Source Code Scanning
- Exposed API keys and secrets in your source code (OpenAI, Stripe, Supabase, and more)
- Firebase misconfigurations in client code without proper security rules
- Supabase without Row Level Security (RLS), the #1 vulnerability in vibe-coded apps
- Database credentials (MongoDB, Postgres, MySQL, Redis) hardcoded in source files
- JWT secrets exposed in your codebase
- Environment files (.env) committed to your repository
- Unprotected API routes handling sensitive operations without authentication
- Open CORS policies that allow any website to call your API
- SQL injection vulnerabilities from string concatenation in queries
- Missing input validation on API endpoints
- Missing security headers (XSS, clickjacking protection)
- Vulnerable dependencies in package.json
- Missing rate limiting on public API routes
Live Site Scanning
- Security headers including Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
- SSL/TLS configuration and HTTP to HTTPS redirect
- Exposed sensitive files like .env, .git/config, wp-config.php, debug endpoints, and phpinfo
- CORS misconfigurations that could allow cross-origin attacks
- Cookie security flags (HttpOnly, Secure, SameSite)
- Technology fingerprinting and information disclosure in headers
Why vibe-coded apps need security scanning
Vibe coding tools like Lovable, Bolt, Cursor, and Google AI Studio make it possible to build full-stack apps in minutes. But speed creates blind spots. AI models optimize for working code, not secure code. They skip authentication checks, expose database credentials, misconfigure Supabase RLS policies, and leave API routes wide open.
With Google AI Studio now offering full-stack vibe coding with Firebase integration, and Lovable creating 200,000 new projects daily, the attack surface is growing fast. VibeCheck is free, requires no signup, and gives you a security grade in seconds.
New to vibe coding security?
Read our complete vibe coding security guide for a step-by-step walkthrough of how to secure your app. It includes a printable checklist, platform-specific tips for Lovable, Bolt, Cursor, Firebase, and Supabase, and answers to common questions. You can also compare all vibe coding security scanners to find the right tool for your needs.
Need help fixing the issues?
If your scan found vulnerabilities, The Vibe Coding Security Playbook ($19) gives you copy-paste fixes for every common vulnerability. It includes 25+ AI fix prompts for Cursor, Lovable, and Claude, platform-specific hardening guides for Supabase, Firebase, Vercel, and Netlify, a 50-item security checklist, and an incident response template. Built specifically for solo founders who vibe-coded their app and want to ship securely.
Is it safe to use?
Yes. For source code scanning, VibeCheck only reads your repository data using the GitHub API. For live site scanning, we only make standard HTTP requests that any browser would make. We do not store your code, URLs, or scan results. Results are returned directly to your browser.
How is VibeCheck different from other security tools?
Most security scanners are built for enterprise teams: expensive, complex, and require installation. VibeCheck is built for solo founders and indie hackers who vibe-coded their app and want a quick security sanity check. Paste your GitHub URL or live site, get a grade. No CLI, no signup, no credit card. Each finding includes a plain-English explanation and a copy-paste prompt you can give to your AI coding tool to fix the issue.