Why speed creates a predictable set of issues
When you build fast, you optimise for the app running. A hardcoded API key runs fine. SQL built with an f-string runs fine. Debug mode, wildcard CORS, a committed .env file — all of it runs fine, which is exactly why none of it gets caught. The feedback loop that drives vibe coding (does it work?) is blind to security, because insecure code usually works perfectly.
AI tools amplify this. They generate the most direct version of what you asked for, and the most direct version of "connect to the database" is a connection string with credentials in it. Unless you explicitly ask for the secure version, you often don't get it — and if you're not a security engineer, you don't know to ask.
The six places vibe-coded apps go wrong
Secrets and credentials is the biggest one: AWS, Anthropic, OpenAI, Stripe, and GitHub keys committed straight into the repo, plus hardcoded passwords, private key blocks, and database connection strings with credentials baked in. Once a key is in git history, deleting the file doesn't remove it. Injection and unsafe code is next: SQL assembled with string formatting, eval and exec, shell commands built from variables, pickle, and yaml.load without a safe loader.
Then come the quieter four: auth and access control (JWT 'none' algorithm, default signing secrets like "changeme", debug mode left on, wildcard CORS), data exposure (committed .env files, cloud service-account JSON, database dumps, missing .gitignore coverage), dependencies and supply chain (no lockfile, "latest" versions, curl-pipe-sh installs), and transport (TLS verification disabled, plain-http API calls). Individually each looks small; together they're the standard profile of an app built at speed.
What to actually do about it
You don't need to become a security engineer — you need a pass that checks the six categories before launch. securevibes does this in one step: paste your public GitHub repo link and it scans the codebase against all six, returning a 0–100 score, a per-category breakdown, and a ranked list of findings with file, line, redacted evidence, why it matters, and how to fix it.
Because the fixes are written as ready-to-paste prompts for Claude Code or any coding agent, the same workflow that created the issues can close them. To be clear about limits: securevibes runs pattern-based static checks — it doesn't execute your code, doesn't use a vulnerability database, and isn't a penetration test. It's the fast first pass that catches the predictable mistakes, which for a vibe-coded app is most of them.
The six categories securevibes checks, and what speed leaves behind in each
| Category | Weight | What vibe coding typically ships |
|---|---|---|
| Secrets & credentials | 30 | Committed API keys, hardcoded passwords, connection strings with credentials |
| Injection & unsafe code | 20 | String-built SQL, eval/exec, shell commands from variables, unsafe yaml.load |
| Auth & access control | 15 | Debug mode on, wildcard CORS, default JWT secrets, insecure cookie flags |
| Data exposure | 15 | Committed .env files, service-account JSON, database dumps, thin .gitignore |
| Dependencies & supply chain | 10 | Missing lockfiles, "latest" versions, curl|sh installs |
| Transport & TLS | 10 | TLS verification disabled, plain-http API calls |
frequently asked
- Is AI-generated code less secure than human-written code?
- It fails differently. AI tools generate the most direct working version of what you ask for, which often skips the secure variant — and the person prompting usually isn't checking for security. The result is a predictable set of issues rather than a uniquely bad codebase.
- My app works fine — do I really have a problem?
- Possibly. Almost every issue in the six categories is invisible in normal use: a committed key, string-built SQL, or debug mode doesn't break anything until someone exploits it. Working is not the same test as safe.
- Does securevibes find every vulnerability?
- No, and it doesn't claim to. It runs pattern-based static checks against the six categories — it doesn't execute code, doesn't use a vulnerability database, and isn't a pentest. It catches the predictable mistakes, which is most of what vibe-coded apps ship.
- What does it cost to check my repo?
- Every scan costs credits and includes a Claude AI review on top of the rules engine. Free gets 10 credits a month — about 5 scans on Claude Haiku — with the full score, every finding, and every fix and prompt included. Pro is $29/mo (or $9/wk, $228/yr) for 300 credits a month, with scans running on Claude Opus for a deeper read of your code — or fable deep audits on Claude's top model tier, the most comprehensive pass, at 25 credits a scan.
Published June 10, 2026 · Last updated June 11, 2026