Security scanner for AI-generated code

Secure AI code
before it ships

FAIL — Do not merge
Avg score of AI apps we scanned

36 rules detect prompt injection, hardcoded secrets, and unsafe LLM patterns. Auto-scans every push. Findings appear directly in your PRs.

Start scanning — free Dashboard
No code stored. Scan results only. Learn more
Repos Scanned
Failed Security Checks
Avg Score
Critical Vulnerabilities

The Vibe Coding Security Crisis

0–62%
of AI-generated code contains security vulnerabilities
Stanford HAI Study, 2025
0
new CVEs traced directly to AI-generated code in March 2026 alone
NVD Database, March 2026
0%
of all code on GitHub is now AI-generated — most unscanned
GitHub Octoverse Report, 2025

Two-Layer Defense

Everything you need to secure AI code

Static analysis catches what's in the code. Behavioral probing catches what the model does at runtime. Most tools only do one.

🔍

Layer 1 — Static Analysis

Catches AI-specific and traditional vulnerabilities: prompt injection, hardcoded secrets, SQL injection, command injection, XSS, prototype pollution, insecure JWT, CORS misconfig, and more — across Python and JavaScript.

Zero False Positives Python + JS/TS
🏆 OWASP LLM Top 10 Coverage
🤖

Layer 2 — Vibe Behavioral Engine

Tests your live LLM endpoints at runtime. Detects scope violations, prompt injection, data extraction attempts, and persona abandonment — the attack surface that static analysis can't reach.

Live Endpoint Runtime Testing
⚙️

GitHub App — Zero Config

Install in one click, pick your repos. Every push and PR is auto-scanned. Findings appear as Check Run annotations directly in your PRs — no CI setup, no config files, no pipeline changes.

One-Click Install Auto-Scan on Push PR Annotations
📊

Rich Reporting

Findings appear as Check Run annotations directly on your PRs — inline with your code. Track trends over time in the dashboard with severity breakdowns and remediation guidance.

PR Annotations Dashboard Severity Breakdown Fix Guidance
🎯

Vibe Risk Score

A single 0-100 number and letter grade that summarizes your code's security health. Score deductions are weighted by finding severity and confidence — so you always know where you stand at a glance.

0-100 Score Letter Grade CLI + Dashboard GitHub Check Runs
🚫

Merge Gating — On by Default

Enabled by default with a score threshold of 75. If a PR drops below the minimum score, the GitHub Check Run auto-fails — blocking the merge until issues are resolved. Fully configurable.

Min Score Gate Finding Limits Block Categories Configurable
🛠

Fix Vulnerabilities in One Click

Every finding comes with a concrete code fix suggestion. On PRs, fixes are posted as GitHub Suggestion comments — one click to apply. Also visible in terminal, HTML reports, and the dashboard.

GitHub Suggestions One-Click Apply 36+ Templates All Reporters
🚀 One-click GitHub App install
🔒 Never stores code or secrets
Scans in under 60 seconds
📊 Dashboard with scan history
🎯 Vibe Risk Score (0-100)
🚫 Policy-based merge gating

Why Code-Level Security Matters

Without Layer 1, Vulnerabilities Reach Production

Traditional tools scan your app after deployment. Vibe secures your code before it ships.

LAYER 1 — VIBE

Code Security Gate

  • Scans every PR before merge
  • Blocks insecure code from shipping
  • 36 rules for AI + traditional vulns
  • Catches issues at the source
Before deployment
LAYER 2 — RUNTIME

Runtime Testing

  • Scans deployed applications
  • Simulates attacker behavior
  • Tests live endpoints
  • Finds issues after they ship
After deployment

You need both layers — but without Layer 1, vulnerabilities reach production.

Get Running in Minutes

How it works

Three steps from install to your first security report.

1

Install

Click "Install GitHub App", pick the repos you want scanned. Takes 30 seconds — no config files, no CI changes.

2

Push Code

Every push and PR is automatically scanned with all 36 rules. Results appear as Check Run annotations directly on your commits.

3

Fix

Each finding shows the exact file, line, vulnerability type, and how to fix it. Track everything in your dashboard.

GitHub Check Run — vibeCodeScan
─── Vibe Risk Score ─────────────────────────────────
42/100 (F) FAIL — Do not merge
Avg Confidence: HIGH
5 findings in 4 files | 2 CRITICAL | 2 HIGH | 1 MEDIUM
─── Findings ─────────────────────────────────────
⚠ auth/client.py:12 — Hardcoded OpenAI API key in source code
Fix: Move to environment variable, use os.getenv("OPENAI_API_KEY")
Pattern: API key -> hardcoded in source -> version control -> credential leak
 
⚠ db/queries.py:47 — Unsanitized LLM output in SQL query
Fix: Use parameterized queries, never interpolate LLM output
Pattern: LLM output -> SQL query -> no parameterization -> SQL injection
 
⚠ api/chat.py:23 — User input concatenated into prompt
Fix: Use template with input validation and sanitization
Pattern: User input -> string concat -> LLM prompt -> prompt injection
 
──────────────────────────────────────────────────
🔎 View full results in the Dashboard →

Competitive Landscape

Why not just use Garak or Promptfoo?

Existing tools only solve half the problem. vibeCodeScan is the only tool that does both layers with zero config.

Tool Static Analysis Behavioral Probing OWASP LLM Coverage Auto-Scan Free Tier Risk ScoreMerge GatingAutofix Status
vibeCodeScan 36 rules 15 probes Full Every push Free 0-100 Default ON One-click Active
Garak Partial Active
Promptfoo Partial Freemium Acquired by OpenAI
Manual Review Slow Incomplete Human hours Unscalable
Generic SAST Tools Active

Privacy-First

Your Code Never Leaves GitHub

Zero code storage

Scans run through the GitHub API using the permissions you grant. We only store finding metadata — file name, line number, severity, and fix. Never your actual code, secrets, or PII.

🔒 Install GitHub App

Questions

Frequently Asked Questions

No. When you push code, GitHub sends us a webhook. We use the GitHub API (with the read-only permissions you granted) to scan the repo, then immediately discard it. We only store finding metadata: file name, line number, severity, vulnerability type, and a remediation suggestion. We never store your actual code, API keys, secrets, or any PII.
Three permissions, all minimal:

Contents: Read-only — to read your code for scanning. We never write to your repo.
Checks: Read & write — to post scan results as Check Run annotations on your commits and PRs.
Pull Requests: Read-only — to know which PR triggered the scan.

That's it. No write access to your code. No access to issues, wikis, settings, or anything else.
Two broad categories of vulnerabilities:

AI/LLM Security: Prompt injection, hardcoded API keys, unsafe use of LLM output, dangerous tool execution, overprivileged agent configurations, credential leaks into prompts, unsafe deserialization patterns, and LLM-driven SSRF / path traversal.

Traditional Security: SQL injection, command injection, XSS, insecure configurations, weak password hashing, open redirects, JWT without verification, NoSQL injection, prototype pollution, insecure cookies, and CORS misconfigurations.

Every finding includes a specific remediation — not just "fix this" but exactly what to change.
Snyk and Dependabot scan your dependencies for known CVEs. We scan your actual code for AI-specific vulnerability patterns — things like prompt injection, LLM output being used in SQL, or API keys that Copilot pasted into your source. These tools are complementary. Use Dependabot for supply chain, use us for the code AI wrote for you.
No. Scans run asynchronously — your push or PR goes through immediately. The Check Run result appears within 30–60 seconds. It never blocks your merge or deploy unless you configure branch protection rules to require it.
Yes. Accounts are limited to 5 scans per month on up to 5 public repos. When you hit the limit, the Check Run will show a neutral status and scanning pauses until the next month. Your code still pushes fine — scanning just resumes on the next cycle.
An on-premise CLI is coming soon. It will run entirely on your infrastructure — no data leaves your network. Contact us if you're interested in early access.
One click. Go to GitHub Settings → Applications → vibeCodeScan → Uninstall. All permissions are revoked instantly. We delete your installation record from our database. No lock-in, no cancellation flow.

Benchmark Data

How Secure Is AI-Generated Code?

Live data from scanning public AI-generated repositories.

Grade Distribution
AI-Specific Risks
Unique to AI-generated code
Traditional Risks
Common web vulnerabilities also present
AI apps combine new AI-specific risks with traditional vulnerabilities — creating a compound attack surface that standard tools miss.
Limitations Benchmark Report