Security scanningfor AI-built apps
Finds exposed secrets, misconfigured RLS, and auth bugs in apps built with Lovable, Bolt, Cursor, or Claude. No GitHub access needed.
87% have critical vulns·72% expose API keys·65% misconfigured RLSresearch →
Example finding
Supabase RLS disabled on users
Anon key exposed in client bundle. Any visitor can read and write all rows without auth.
Fast first-pass review. Not a penetration test. Checks the public surface and artifacts you provide. Cannot prove your app is fully secure. See our research on AI-built app vulnerabilities →
Traditional scanners
- Require GitHub OAuth before scanning
- Miss AI-generated patterns like open RLS policies
- Return findings with no fix guidance
VibeScan URL Scan
- Checks live surface. No repo access needed
- Catches RLS gaps, inverted auth, exposed secrets
- Fix prompts you paste back into your builder
From the same maker
Two tools. One guarantee: no secrets leak.
VibeScan · Web
Scan your deployed app
Checks your live app's surface for exposed API keys, misconfigured Supabase RLS, missing security headers, and more. No code or repo access needed.
Sieve · iOS
Guard your local secrets
Before you push: scan local files, environment variables, and your clipboard for leaked API keys and credentials. Catches what code review misses.
Get Sieve on iOSVibeScan catches what's already live. Sieve catches what's about to ship. Use both.
AI tools generate code fast. The security gaps they leave behind are systematic — the same patterns appear across Lovable, Bolt, Cursor, and Claude-built apps. VibeScan checks for the most common ones without requiring access to your source code.
72% of AI-built apps ship with secret keys visible in client-side JavaScript — Stripe secret keys, OpenAI keys, Supabase service role keys, database connection strings. VibeScan fetches your deployed JavaScript bundle and scans for credential patterns, then decodes JWTs to check whether they carry privileged roles.