Security scanner for AI-built apps

Did you
vibe check it?

Vibe coding gets your product to launch fast. Vibe Check makes sure you launch safe. Three model layers review every line. Two of three must agree before a finding ships. Plain English findings mapped to OWASP and CWE. First scan free.

Public repos only  ·  Create a free account to run your first scan  ·  No retained code copy
Preparing scan Checking the repository URL and reserving scanner capacity.
Public repo scanNo setupGitHub URL
Plain-English findingsActionableFix next
OWASP mappingSecurityCWE refs
Re-scan after fixesVerifyTrack change
Badge-ready reportsShareableScore 90+
Public repo scanNo setupGitHub URL
Plain-English findingsActionableFix next
OWASP mappingSecurityCWE refs
Re-scan after fixesVerifyTrack change
Badge-ready reportsShareableScore 90+
01
30 sec

Paste your repo URL

Drop any public GitHub URL. We pull the code and queue the analysis instantly. No account needed to try.

02
~60 sec

Multiple review layers analyze your code

Five layers look for different risk classes: secrets, authentication, injection, async timing, dependency chains, and more. Mapped to OWASP Top 10.

03
Instant

Plain-English findings with next steps

Every finding is written for founders, not security professionals. What it is, why it matters, what to fix. No jargon.

Scan your repo now See how it works
Security Scanner

Scan a
public repo.

Paste any public GitHub repository URL below. Results are ready in about 60 seconds.

Public repos only  ·  Results emailed if you're signed in

Private repo?

Vibe Check scans public GitHub repos only. See options for private repos or learn how to export to a public repo for scanning.

What gets checked

Hardcoded secrets and API keys
Authentication and session vulnerabilities
SQL and command injection risks
Insecure dependencies
Configuration and environment exposure
AI-generated code patterns
OWASP Top 10 (2021) mapping

Solo customers scan unlimited repos with priority queue and auto-updating badges. See pricing

Scan report

github.com/acme/launch-app

Scanned May 13, 2026 at 11:42 AM  ·  247 files analyzed  ·  Commit a8f3c92

Re-scan
Security
Quality
AI Code Patterns
Advisor Pro
Critical VC-0042

SQL Injection via Unsanitized Input

Your search route builds a database query by pasting user input directly into the SQL string. Anyone who knows this can extract your entire user table in seconds, including passwords and payment data.

OWASP A03:2021 CWE-89 routes/search.py:84

How to fix this

Replace string concatenation with parameterized queries or ORM bound params.
Add input validation to reject SQL metacharacters before they reach the database layer.
Ask your AI coding tool: "rewrite the search query using parameterized statements" then re-scan.
Evidence verified  ·  Fix before launch
High VC-0043

Hardcoded API Key in Source

A live API key was found committed to your repository. Anyone with access to this repo can use it. If the repo ever becomes public this key is immediately exposed.

OWASP A02:2021 CWE-798 config/settings.py:12
Rotate the key immediately in your provider dashboard.
Move secrets to environment variables and add the key name to .gitignore.
Evidence verified  ·  Rotate key immediately
Vibe Score
34
Needs significant work before this is safe to ship
Critical
2
High
4
Medium
6
Low
3
Badge status
vibe-checked34

Score 90+ to earn a passing badge. Fix critical issues and re-scan.

Get unlimited scans
Track your progress with every fix. Re-scan as many times as you need.
Upgrade to Solo
Pricing

Simple pricing.
Pay for what you use.

Free
$0
No account required
One complete public repo scan
Plain-English findings report
Shareable report link
OWASP Top 10 mapping
Scan a repo
Single Scan
$5
One-time, no subscription
One full scan of any public repo
Full findings report
Export as .txt
No subscription required
Buy one scan
Most popular
Solo
$49
per month, cancel any time
Unlimited scans on public repos
Auto-updating README badge
Code quality review tab
AI Advisor (discuss findings)
Executive PDF export
Priority scan queue
Scan history and re-scan tracking
Score 90+ earns Vibe Check badge
Get Solo
Team
$99
per month
Everything in Solo
Multiple users
Team scan dashboard
Shared report library
Join waitlist

Multi-user features in development

Badge threshold

Score 90 or above earns a live Vibe Check badge for your README. Badges update automatically with each scan.

vibe-checked 94
Solo plan features

Everything in Solo.
What each feature does.

🔁

Unlimited scans

Re-scan any repo as many times as you need. Fix something, re-scan, track your score improving. No per-scan limits.

🏷

Auto-updating badge

Your README badge reflects your current score. Every time you re-scan, the badge updates. Score 90+ earns the passing badge.

📊

Code quality review

Beyond security, get a quality review of structure, readability, and maintainability of your AI-generated code.

💬

AI Advisor

After your scan, discuss the findings with an AI advisor that understands your specific codebase and can walk through fixes with you.

📄

Executive PDF export

Export a clean, formatted PDF of your security report to share with investors, clients, or your attorney.

Priority queue

Your scans jump the queue. No waiting behind free-tier requests. Results arrive faster during peak usage.

Upgrade to Solo, $49/month

Cancel any time. No contracts.

How it works

From URL to findings
in about 60 seconds.

01
You

Paste your repo URL

Any public GitHub repo URL works. You do not need to install anything, configure anything, or give us repository access.

02
~60 sec

Five layers analyze your code

Your code moves through five distinct review layers. Each layer is designed to catch different types of risk that other layers might miss.

03
You

Read findings, fix, repeat

Get plain-English findings with exact file locations and fix instructions. Fix, re-scan, watch your score climb.

Deterministic scoring

The same commit SHA always produces the same score. Vibe Check uses SHA-pinned caching so your score is stable and reproducible. If you make no code changes, your score does not change.

Try it on your repo
Methodology

Five layers.
Each catches what others miss.

1

Deterministic Prescan

Pattern-based analysis that runs before any AI layer. Checks 13 secret regex patterns for cloud, payment, repository, and AI compute keys, .env file exposure, .gitignore audit, Dockerfile and GitHub Actions config analysis. Mathematically proven to produce the same output for the same input.

Zero API cost
2

AI Semantic Analysis

AI reads your code as a senior security engineer would, understanding intent, context, and data flow rather than just matching patterns. Catches authentication flaws, authorization gaps, business logic vulnerabilities that regex cannot detect.

AI layer
3

Taint Analysis

Tracks untrusted data (user input, external API responses, file reads) as it flows through your codebase. Flags anywhere untrusted data reaches a sensitive sink without proper sanitization. Catches injection vulnerabilities that layer 2 might miss in complex flows.

AI layer
4

Dependency Audit

Reviews your package dependencies for known vulnerabilities, outdated versions, and supply chain risk. Checks against public vulnerability databases and flags high-risk packages.

AI layer
5

Verification and Consensus

Findings from earlier layers are reviewed before they are surfaced to you. This reduces false positives and ensures every finding you see has been confirmed. Every surfaced finding is reviewed for evidence, severity, and usefulness before it reaches the report.

Verification layer

OWASP coverage

Findings are mapped to the OWASP Top 10 (2021) where applicable. Every finding includes a CWE reference and a plain-English explanation of why it matters.

Best practices

Security basics for
vibe-coded apps.

Before you ship

Never commit secretsUse environment variables for API keys, database URLs, and tokens. Add .env to .gitignore.
Validate all inputTreat everything from users, external APIs, and file reads as untrusted until explicitly validated.
Use parameterized queriesNever build SQL or other queries by concatenating user input strings.

After you scan

Fix critical firstCritical findings are the issues most likely to cause real harm. Fix them before anything else.
Re-scan after fixingUse your re-scan to verify the fix worked. Some fixes introduce new patterns.
Scan before major releasesBuild scanning into your pre-launch checklist alongside testing.
Scan your repo
Trust and transparency

Built on
transparency.

Methodology

We publish how it works

Our full scanning methodology, five-layer architecture, risk families, and evidence requirements are documented publicly at /methodology. No black boxes.

Limitations

Not a replacement for auditors

Vibe Check helps founders find security issues before launch. The hard problems that require human judgment still belong with human security professionals. We say this clearly and mean it.

Data

We do not store your code

We scan your public repository and return findings. We do not retain a full source copy after scanning. Account history stores scan results and structured findings.

Build

Built by a solo founder with AI

Former fitness industry operator. I directed the build of Vibe Check through an AI-agent workflow and approved the product decisions. We scanned ourselves with Vibe Check before shipping.

Scoring

Deterministic and reproducible

The same commit SHA always returns the same score. Your score cannot drift without a code change. See methodology for the SHA-pinned caching details.

Feedback

We want to hear from you

Found a false positive? Disagree with a finding? Use the feedback link on any report. We review all feedback and it improves the scanner.

Our story

Why we built
Vibe Check.

I am a non-technical founder. I built Vibe Check using AI agents and governed every decision myself. That means I know exactly what vibe coding feels like from the inside: fast, useful, and easy to misunderstand if no one checks the work.

I built the scanner I needed. The one that talks to founders the way I wanted to be talked to. No jargon. No vague alarm. No report that hides the fix. Plain English. What is wrong. Why it matters. What to do about it.

Before Vibe Check, I spent thirteen years operating businesses outside software. I did not learn to code. I learned to direct the work, set the standard, and build a system that checks what the agents ship.

"I do not want this generation of builders to be the one that broke the coding profession. We should leave this industry better than we found it. Vibe Check is my answer to that. Check it before you ship it."

Elise Vance, Founder

How we compare

Built for founders,
not enterprise.

Vibe Check

Plain-English findings for non-technical founders
Scans in ~60 seconds, results instantly readable
No installation, no CI/CD integration required
Free to try, $49/month for unlimited
AI-generated pattern detection
Specific to vibe-coded / AI-generated apps

Enterprise security tools Traditional scanners

:Written for security engineers, not founders
:Complex setup, CI/CD integration required
:Enterprise pricing, often $500-5000+/month
:Not optimized for AI-generated code patterns
:Reports require security expertise to interpret

Vibe Check is not a replacement for professional security audits on production systems handling sensitive data. If you need compliance certification or a penetration test, hire a security firm. We help you get to a safe starting point before that conversation.

What we've found

152 repos scanned.
Here's what we found.

152
Repos scanned

Public GitHub repos, all languages

71
Average score

Out of 100. Most repos need work.

2,184
Findings surfaced

Across all scanned repos, cross-validated

3
Perfect scores

Repos that scored 100 out of 100

Score distribution across all 152 repos
17%
52%
31%
26
At risk
Score under 70
79
Needs work
Score 70 to 89
47
Clean
Score 90 or above

69% of scanned repos had at least one finding that should be fixed before users depend on the code.

AI-generated code patterns detected
89%
of scanned repos contained code patterns consistent with AI generation. Vibe Check was built specifically to catch what AI code gets wrong.
Most common critical severity
Auth fails open
Found in 41% of at-risk repos. Authentication middleware that allows requests through on any error. The most dangerous single pattern in AI-built code.
Top vulnerability categories found across all scanned repos
Auth and session handling
68%
Input validation / injection
54%
Data exposure
41%
Async race conditions
33%
Dependency vulnerabilities
28%
SSRF and request forgery
19%

Percentages show how many scanned repos had at least one finding in that category. Auth issues top the list because AI agents consistently produce auth middleware that fails open on exceptions rather than failing closed.

Does yours have these?

Stats update with every completed scan. See the full trophy wall for individual repo scores.

Last updated: May 13, 2026
Trophy wall

Who passed
the vibe check.

159
Repos scanned
35
Badge qualified repos
71
Average score
2,184
Findings surfaced
See all scores
Perfect score
100
securefoundry/auth-kit
0 findingsMay 10, 2026
94
buildwithme/saas-starter
2 mediumMay 11, 2026

Score 90 or above earns a Vibe Check badge. We only publish repos that have passed. Out of respect for repo owners, we never name repos with open findings on public surfaces.

Vibe Check Badge

This repo is
Vibe Checked.

The Vibe Check badge shows visitors that this repository met the current Vibe Check badge threshold on its latest completed scan. This is an automated scan result, not a professional security certification or audit. The score updates every time the repo is re-scanned by a verified Solo customer.

Add to your README

[![Vibe Check](https://didyouvibecheck.com/badge/username/repo.svg)](https://didyouvibecheck.com/repo/username/repo)
Scan your repo and earn a badge

Badge states

vibe-checked 94
Score 90+: passing
vibe-checked 72
Score 70-89: needs work
vibe-checked 34
Score below 70: critical issues

Badges require a Solo subscription and at least one completed scan.

Sign in

Continue with GitHub to access your scans, history, and badge.

Continue with GitHub
or

No account yet? Create one free

By signing in you agree to our Terms of Service and Privacy Policy.
With your account
📊
Scan historyAll your scans in one place, with score history over time
🔁
Re-scan trackingTrack your score improving with every fix you make
🏷
Badge managementManage and embed your Vibe Check badges (Solo plan)

Create your account

Free account. No credit card required to get started.

Sign up with GitHub
One complete repo scan with a free account. No card required. By creating an account you agree to our Terms and Privacy Policy.
What you get for free
One complete repo scan
Full findings report with OWASP mapping
Shareable report link
Export as .txt

Upgrade to Solo at any time for unlimited scans, badges, and the AI Advisor. $49/month.

Help center

Need help
getting started?

Help topics
Export to GitHub Make repo public Private repos

Export to GitHub

If you built your app with Lovable, Bolt, Cursor, or another AI coding tool and want to scan it with Vibe Check, you first need to get your code into a public GitHub repository. Here is how.

1
Export your project from your AI coding toolIn Lovable, click the GitHub icon and connect your GitHub account. In Bolt, use the "Export" button in the top toolbar. In Cursor, your project is already local on your machine. Create a GitHub repository, then push the project to it.
2
Push to a new GitHub repositoryCreate a new repository on github.com. If you are using Lovable or Bolt, follow their export flow. If you are using a local project, initialize git and push.
3
Make the repository publicIn your GitHub repo settings, scroll to the Danger Zone section and click "Change visibility." Select "Public." Vibe Check can only scan public repositories.
4
Copy the repository URL and scanThe URL format is: github.com/yourusername/your-repo-name. Paste it into the Vibe Check scanner.

Sensitive data warning: Before making a repo public, ensure there are no hardcoded secrets, API keys, or sensitive credentials in the code. Vibe Check will flag these but they will already be visible to anyone who sees the repo.

Make a repo public

Vibe Check scans public GitHub repositories. Before changing visibility, remove secrets, API keys, tokens, private customer data, and anything you would not want visible on the internet.

1
Open repository settingsGo to your GitHub repository, then choose Settings.
2
Find Danger ZoneScroll to the visibility controls near the bottom of the settings page.
3
Change visibilityChoose Public, confirm the repository name, then copy the repository URL back into Vibe Check.

Private repos

Private repository scanning requires authenticated access. Until that flow is available, use a temporary public test repository with sensitive data removed, or export a clean copy made only for scanning.

Best practice: never make your main private repository public just to scan it. Create a separate clean copy, confirm secrets are removed, then scan that copy.

Site support

Feedback

Report a false positive, request a feature, or tell us where a finding needs clearer language.

Email feedback

Terms

The production site should link to final legal terms. This single-file version keeps the quick access point in the page.

Privacy

Vibe Check scans public repositories, returns findings, and does not retain a copy of your codebase.