I Scanned 300 Vibe-Coded Repos. The #1 Finding Will Annoy You.

TL;DR Hardcoded secrets (CWE-798) show up in roughly 2 out of 3 AI-generated repos It happens because AI models were trained on years of tutorial code, not production code A pre-commit hook with gitleaks catches this in under 5 seconds I've been scanning repos for a few months now. Mostly side projects, a handful of production apps that founders shared with me directly. The pattern I keep seeing is secrets hardcoded directly into source files. Not occasionally. Not in old projects. In code that was written last week, sometimes yesterday, by developers who absolutely know better. Here's the thing: they didn't write it. Their AI did. The Vulnerable Pattern This is the exact snippet I've found in some variation across maybe 200 of the ~300 repos I've scanned: // Generated by Cursor, March 2026 const jwt = require ( ' jsonwebtoken ' ); const SECRET = ' my-super-secret-key-123 ' ; function generateToken ( userId ) { return jwt . sign ({ id : userId }, SECRET , { expiresIn : ' 7d ' }); } CWE