Inspiration
The rapid ascent of AI-assisted development tools like Lovable, Bolt, and Cursor has lowered the barrier to entry for building software to near zero. However, this "vibe-coding" revolution has introduced a critical oversight: security defaults. We observed a growing trend where developers, moving at unprecedented speeds, inadvertently ship applications with wide-open Supabase instances, hardcoded API keys, and insecure browser headers. We built VibeCheck because we believe speed should not come at the cost of safety. Our goal is to provide a "safety net" that acts as a technical co-founder, catching these dangerous defaults before they become liabilities.
What it does
VibeCheck is a passive, read-only security scanner tailored specifically for the modern AI-coded web. Unlike intrusive security audits that require deep system access, VibeCheck performs a non-destructive analysis of a deployed application’s public-facing surface. It:
- Identifies exposed secrets and sensitive credentials within client-side bundles.
- Maps security posture by analyzing browser headers, CORS policies, and potential infrastructure misconfigurations.
- Provides actionable remediation through a "burn-down list" interface, offering copy-paste fixes that allow developers to resolve issues in seconds.
- Escalates critical risks into an Incident Runbook, guiding users through triage steps, such as assessing blast radius and rotating keys, without causing accidental service outages.
How we built it
VibeCheck is built on a modular, passive-reconnaissance engine. We focused on a strict "read-only" boundary:
- Detection Engine: We implemented a classification layer that routes findings based on the type of vulnerability and the reachability of the surface. We used a routing matrix:
$$\text{State} = f(\text{SecretType}, \text{Location}, \text{RLS_Inference})$$
- UI/UX Layer: We utilized a "Confident Doctor" design philosophy. The UI is split into four distinct states: Clean, Fixable (Amber), Incident (Red), and Incomplete (Gray), ensuring the user always knows the severity without being subjected to alarmist, "horror-trailer" style alerts.
- Remediation Engine: We moved beyond generic advice, injecting specific code snippets for
next.config.js,vercel.json, and CLI commands directly into the output.
Challenges we ran into
The most significant hurdle was maintaining our "passive-recon" boundary while ensuring the tool remained high-signal.
- Avoiding False Positives: We struggled initially with classifying
anonkeys. A senior engineer knows that these are expected to be public, while aservice_rolekey is an emergency. We solved this by implementing a classification precedence logic that requires a deeper self-check for public keys rather than triggering a false "Incident" alert. - The "Outage" Risk: We realized that blindly providing a "rotate key" command could accidentally take down a user's production environment if that key was being used by edge functions. We solved this by forcing the user to run a
grepcheck on their codebase to locate dependencies before the remediation steps.
Accomplishments that we're proud of
- The "Confident Doctor" UX: We successfully moved away from the standard "antivirus scanner" trope. By framing findings as a burn-down checklist rather than a "failed security audit," we've created a tool that engineers actually enjoy using.
- Strict Adherence to Ethics: We proved that we can provide high-value security insights without ever sending a single unauthorized request or exploiting a target, proving that passive analysis is sufficient for 90% of the common "vibe-coding" security gaps.
- Technical Precision: Our routing matrix correctly distinguishes between infrastructure misconfigurations and genuine credential leaks, providing the right level of urgency for every finding.
What we learned
We learned that the biggest threat to AI-generated code isn't a complex, nation-state-level exploit; it is the "dangerous default." We also confirmed that the developer's trust is the most fragile asset. By being honest about what we cannot scan (e.g., private server logs or internal infrastructure), we built far more credibility than a scanner that makes overreaching claims.
What's next for VibeCheck
We are moving toward deep integration with the deployment lifecycle. Our goal is to move VibeCheck from a "check-after-deploy" tool to a "check-during-deploy" safety net.
- CI/CD Integration: Automatically running scans on every push to a Vercel/Netlify environment.
- Expanded Backend Coverage: Adding detectors for Firebase Security Rules, more advanced OpenAPI schema mapping, and deeper analysis of React Server Component (RSC) payloads.
- Collaborative Security: Enabling teams to share "Security Hygiene" reports that show their burn-down progress to stakeholders.
Built With
- github
- html/css
- next.js
- node.js
- novus.ai
- pendo
- react
- supabase
- typescript
- vercel
Log in or sign up for Devpost to join the conversation.