“Vibe coding” — describing what you want and letting an AI tool like Cursor, Replit, or Claude Code write most of the implementation — is genuinely good at producing working software fast. It is not good at producing secure software, because security usually isn’t what you asked for, and the model won’t volunteer it unless prompted.
1. Find the AI-written files first
Not all of your code carries equal risk. The 10–60% of a typical vibe coded app that came from an AI tool is where systematic issues concentrate — the rest of the codebase, if you wrote it or reviewed it carefully, is usually fine. Start by identifying which files were AI-generated or AI-modified and treat those as your audit priority.
Wondering if your code has any of this? Scan a public repo free, no account needed.
Scan a repo →2. Scan for the patterns AI tools repeat
These aren’t one-off bugs — they’re patterns that show up across unrelated codebases because the models that generate them make the same tradeoffs every time:
- Hardcoded credentials and API keys left in source
- SQL/NoSQL injection from string-concatenated queries
- Missing authentication checks on generated CRUD routes
- Fallback secrets in environment variable lookups (
SECRET || 'default') - Broken Object Level Authorization (BOLA) — auth checks that don’t check ownership
- Timing-unsafe string comparisons in webhook signature checks
3. Fix in order of blast radius
A hardcoded production credential or a public JWT fallback secret can compromise every user account. A missing auth check on a low-traffic internal route is real but lower priority. Triage by what an attacker could actually reach and what they could do once they got there.
4. Make it part of every push, not a one-time pass
A single audit gets stale the moment you ship the next AI-generated feature. Wire a scanner into your CI pipeline so every pull request gets checked automatically — catching the next hardcoded secret before it merges is far cheaper than finding it after it’s in production.
See Prbl for vibe coders and solo founders for a workflow that fits without a security team.