Vibesafe
The condom for your vibe-coded apps.
Start new thread
Arthi Arumugam

Vibesafe - The condom for your vibe-coded apps.

by
Paste your URL. Get a security report in 60 seconds. 55+ checks tuned for the mistakes Cursor, Bolt, Lovable, and Claude Code make - exposed API keys, missing auth, open Supabase rules, leaked env vars. But we don't just find bugs - we fix them. Connect your GitHub repo and VibeSafe opens a pull request with AI-generated fixes for every vulnerability found. One click. Real code. Merged and shipped. Free scan. No signup. Don't ship naked. Practice safe shipping.

Add a comment

Replies

Best
Arthi Arumugam
Maker
📌

Hi Vibecoders, I have built something I have previously many times faced issues with. I published an app and made 9 bucks and was so happy until I got someone telling me the security is weak. I thought it was a dummy threat but I went in and there it was. Exposed keys. Open API routes. No security headers. The whole thing was naked.

That's why I build Vibesafe. Seriously. Vibe. Safe. People assume vibe-coding is just a click of a button and voila you have a million dollar machine. There is struggle, endurance and diligence behind every build and direction. So Vibesafe and feel free to ask any questions you have.

Thank you for the chance!

Nikhil Shahane

@arthi_arumugam This is a much needed service - most people don't bother adding prompts on how to secure their app. I recently had a friend expose visible admin endpoints from an app I was working on. Saved me some embarrassment. Will check this out.

Arthi Arumugam
Maker

@nikhilshahane Thank you Nikhil! It is a critical issue.

Łukasz Sągol

Hey @arthi_arumugam ! Love the idea behind it, seriously limiting the risks of vibecoded software.

Have you considered expanding it to other, more architectural misconfigurations (for example missing rate limiting in endpoints)?

Arthi Arumugam
Maker

@lukaszsagol Thanks Łukasz! Yes - rate limiting detection is on our roadmap. Right now we check surface-level patterns (headers, exposed secrets, CORS, auth gaps), but the next phase is deeper architectural checks like missing rate limiting, broken access control patterns, and insecure API design. The goal is to catch everything an AI tool gets wrong, not just the obvious stuff. Appreciate the feedback :) this tells me we're prioritizing the right things!

Amazing! Really love the idea, and especially the ability to paste a URL and get a report. The internal quality of vibe-coded apps is a real frustration of mine, and I hope making it easier for those devs to catch things like leaked credentials will save some people a lot of grief. I did get a lot of what I consider to be false positives (e.g. describing status 200 responses as a security issue for a Single Page Application), but for a zero-config tool it's very impressive.
Will Carter

Really nice that the fix step is baked in — scanning for issues is only half the battle if you still have to figure out what to do with the results.