We re launching Check My Vibe as a deliberately limited first-pass security tool for AI-built and vibe-coded websites.
The design constraint is simple: no login, no exploit attempts, no recursive crawling, and no stored scan history. The automated pass checks the public response, selected same-origin JavaScript, security headers, HTTPS behavior, source maps, credential-shaped strings, and a fixed set of sensitive public paths. It then hands off to a separate 36-point manual checklist for authorization, database access, dependencies, and deployment controls that a passive scanner cannot prove.
That separation matters because a clean automated result should never be presented as proof that an application is secure.
What would make this kind of first-pass report more useful without turning it into intrusive testing?
A nice touch would be letting users upload their codebase or share a repo link so the scanner can flag specific vulnerable lines or AI-generated snippets instead of just generic checklist items. Would make the findings actually actionable rather than abstract.
Ran the scan on a side project built with Cursor and it flagged a couple of exposed env vars I genuinely missed. The checklist part feels more useful than I expected since it ties each step to what actually broke.
Love how the checklist breaks things down into bite-sized steps instead of overwhelming you with jargon. The passive scan idea feels like the right move for anyone shipping fast with Lovable or Bolt.