securevibes
security scores for vibe-coded apps
securevibes is the security pass your vibe-coded app skipped. Paste a public GitHub link and it reads the repo the way an attacker would — hunting committed secrets, injection-prone code, broken auth, exposed data, and disabled TLS — then hands back a 0–100 score, a grade, and six weighted subscores so you know exactly where you stand.
Every finding comes with the file and line, why it matters, and a ready-to-paste Claude Code prompt — so the same kind of tool that wrote the bug can fix it.
how it works
- 01
paste your repo link
Drop in any public GitHub URL — no OAuth, no installs, nothing written to disk.
- 02
read your score
One number, six subscores, and every finding ranked by severity with file + line.
- 03
paste the fix
Each finding ships a Claude-ready prompt. Paste it, review the diff, re-scan.
a look inside
a few of the screens you'll actually use.
- 0–100 score + six subscores
- every finding, file + line
- ready-to-paste claude prompts
how secure is your vibe-coded app?
paste a public github repo — get a security score, ranked findings, and the claude prompts that fix them.
securevibes guides
Ways to use securevibes, and how it compares.
- use caseVibe coding security risks: why AI-built apps ship the same six problemsApps built fast with Claude Code, Cursor, or Copilot tend to ship a predictable set of security issues — committed secrets, string-built SQL, debug mode, missing .gitignore coverage. Here's the pattern and how securevibes catches it.
- how toThe pre-launch security checklist for vibe-coded appsBefore you ship an app built with Claude Code, Cursor, or Copilot, run this checklist: secrets out of the repo, SQL parameterised, debug mode off, .env ignored, lockfile committed, TLS verified. Or scan it all at once with securevibes.
- how toHow to check a GitHub repo for security issues (by hand, and in one paste)You can audit a GitHub repo manually — grep for keys, read the .gitignore, eyeball the SQL — or paste the link into securevibes and get a scored, ranked report in under a minute. Here's both routes, step by step.
- how toYou committed an API key to GitHub. Here's the order of operations.Deleting the file doesn't help — the key lives on in git history. The fix, in order: rotate the credential, purge history with git filter-repo, then prevent the next one. Step by step, with where securevibes fits.
- use caseAI-code security scanner: what the category is for, and what to expect from oneA security scanner for AI-generated code should check the mistakes AI tools actually make, point at exact lines, and hand fixes back in a form your coding agent can apply. Here's the category, and how securevibes approaches it.
- comparisonsecurevibes vs Snyk and enterprise SAST: different tools for different buildersSnyk and enterprise SAST/SCA do vulnerability-database dependency analysis and CI integration for security teams. securevibes does fast heuristic repo scans with paste-ready AI fix prompts for solo builders. Honest comparison, including when to choose the enterprise tools.