I built VibeSafe — a 24-check security scanner for apps made with AI coding tools (Cursor, Lovable, Bolt, v0, Replit).
The idea came from a pattern I kept seeing: AI tools produce code that works, but rarely code that's secure. Hardcoded API keys, disabled Row Level Security, missing CSP headers, exposed .env files. Same issues, different apps.
Before writing a line of scanner code, I manually audited 5 real vibe-coded apps:
- 5/5 had at least one critical vulnerability
- 3/5 had exposed API keys in frontend JavaScript
- 4/5 had Row Level Security completely disabled
- 1/5 had their entire database publicly readable
Every founder was shocked. None of them knew.
The Dogfood Test
So I built the scanner — 24 checks across pre-launch source code and post-launch live URLs.
Then I ran it on my own site. The worst possible outcome:
Zero issues. Clean scan. Trust badge earned.
Not because I'm a security expert. Because I built the scanner to catch exactly what I knew AI tools get wrong — and I fixed each issue before shipping.
What the Scanner Checks (24 total)
Pre-launch (10 checks — source code):
- Exposed secrets, SQL injection, Supabase RLS, Firebase rules
- Hardcoded credentials, unprotected API routes, Stripe webhook verification
- Dependency CVE audit, DB config exposure
Post-launch (14 checks — live URL):
- SSL/TLS, security headers, exposed files, JS bundle secrets
- CORS, rate limiting, data breach check, source map exposure
- Cookie security, robots.txt analysis, subdomain discovery
- Supply chain / SBOM check, trust badge
Why I'm Posting This
I'm running a launch week. Everything is 40% off with code LAUNCH40:
| Product | Regular | Launch Price |
|---|---|---|
| Post-Launch Scan (14 URL checks) | $19 | $11 |
| Pre-Launch Audit (10 repo checks) | $39 | $23 |
| Full Bundle (all 24 checks) | $49 | $29 |
| Continuous Protection (weekly) | $39/mo | $23/mo |
One-time pricing, plain-English reports with exact fixes.
Quick check for your own codebase:
grep -r "eyJ" --include="*.js" --include="*.ts" . finds JWT tokens
grep -r "api_key\|password\|secret" --include="*.js" .finds hardcoded creds
You might be surprised what you find.
United States
NORTH AMERICA
Related News
🚀 I Built a Dropshipping Automation Pipeline — Here's What I Learned (and What I'd Do Differently)
10h ago
How I Cut My LLM API Bill by 40x: A Freelancer's Migration Story
10h ago

Mattress Firm Coupons: Save up to $600
3h ago
Google Ordered to Pay $2 Billion For Anti-Competitive Practices By Swedish Court
20h ago
The Censorship Wall: Why Every AI Companion App Ends Up Filtering You
20h ago