πŸ”₯ Pain score 92 on Reddit Β· r/SaaS Β· r/webdev Β· r/SideProject

Your AI wrote the code.
Who checked the auth?

Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck catches what LLMs leave behind.

Scan your app β€” free CLI on GitHub
88/100
Score for TalkBoard β€” a real vibecoded macOS app

What LLMs get wrong. Every time.

πŸ”‘
SECRET_KEY = "secret"
Session/JWT forgery
🎭
jwt.decode(..., verify=False)
Identity spoofing
πŸ”“
password == user.password
Plaintext credential dump
πŸ’‰
localStorage.setItem("token", …)
XSS β†’ full account takeover
🌐
Access-Control-Allow-Origin: *
Cross-site API abuse
πŸͺͺ
SKIP_2FA = True
MFA theater
"Because honestly, looking at that landing page, people on X and Reddit would go crazy for it right now." β€” Gemini 3 Pro, after reviewing VibeCheck

Scan your app. Get a score in seconds.

πŸ“ Scan a local path

Absolute or home-relative path on this machine.

πŸ“€ Upload project

Zip of your repo, or a single source file (max 50MB).

$9.99 per scan β€” hosted report, no CLI needed.

30+ heuristics. 7 rule packs.

πŸ” Secrets

API keys, AWS, Stripe, PEM keys, weak SECRET_KEY, hardcoded `sk_live_…`

πŸ”‘ Authentication

Plaintext passwords, MD5, auth bypass, SQLi in login, default admin

πŸͺ Session

Cookie flags, localStorage tokens, fixation hints, missing HttpOnly

🎫 Tokens

JWT verify off, alg none, predictable reset tokens, tokens in URLs

πŸ“± 2FA / MFA

Hardcoded TOTP, static OTP, bypass flags, missing rate limiting

🌍 CORS / CSRF

Wildcard origins, origin reflection, CSRF disabled, missing tokens

πŸ”’ Cryptography

TLS verify off, HTTP auth URLs, weak RNG, debug mode, MD5/SHA1

How scoring works

Starts at 100
Critical βˆ’25 Β· High βˆ’15 Β· Medium βˆ’8 Β· Low βˆ’3
A β‰₯ 90 Β· B β‰₯ 80 Β· C β‰₯ 70 Β· D β‰₯ 55 Β· F < 55

Pricing

πŸ†“ CLI

Free

Local static scan. Already on GitHub.

pip install now

πŸ“Š Pro

Coming soon

Monitoring, PR checks, history. Subscription.

Join waitlist
{% if session_id %} {% endif %}