I Built a Free Security Scanner for Vibe-Coded Apps. Here's What It Catches.

You've probably seen the posts — "I scanned 100 vibe-coded apps and found 318 vulnerabilities," Lovable exposing 18,000 users' data, Supabase keys sitting in frontend bundles. AI writes code that works. It doesn't write code that's safe. I was building apps with Cursor and Claude, and I kept wondering: am I shipping SQL injection without knowing it? So I built a scanner. Then I open-sourced it as a GitHub Action. What is VibeSafe? A free, open-source GitHub Action that scans every PR for: SAST — SQL injection, XSS, command injection, path traversal (OWASP Top 10) Hardcoded secrets — API keys, tokens, passwords, JWT secrets Dependency vulnerabilities — known CVEs in pip/npm packages Vibe-coding-specific patterns — CORS wildcards, Flask debug mode, JWT without expiry, Express without Helmet It posts a PR comment with the exact file, line number, code snippet, and how to fix it . 30-Second Setup One YAML file in your repo: name : VibeSafe Security Scan on : pull_request : types : [ opened