How to check if your vibe-coded app is secure

If you built an app with Cursor, Bolt, Lovable, or v0, here are the four checks that catch 80% of the security vulnerabilities AI introduces. No security background required.

Short answer: No, not by default. AI coding tools introduce real, exploitable security bugs in roughly 4 out of every 10 generated snippets (Stanford HAI study, 2023). The good news: 80% of those bugs cluster around four areas you can check in under an hour.

This guide is for vibe coders — people building apps with Cursor, Bolt, Lovable, v0, ChatGPT, or Claude — who don't have a security background but want to ship without getting hacked.

Why does AI write insecure code?

AI coding assistants are trained on public code from GitHub, Stack Overflow, and tutorials. A lot of that training data is example code, not production code — and example code skips security boilerplate for clarity. When an AI generates something that looks like working code, it's often missing the parameterized queries, the auth checks, the input validation, and the secret management that real production code needs.

The pattern is consistent: the code runs, the tests pass, the demo works. Then someone finds a way to break it.

What are the four checks that catch 80% of issues?

If you do nothing else, do these four. In order of impact:

1. Look for hardcoded secrets

Open every file your AI generated and search for the strings sk-, API_KEY, SECRET, password, and token. AI assistants frequently inline real-looking placeholder secrets that get committed and pushed.

What to look for: any string that looks like a credential sitting in a .ts, .js, or .py file. It belongs in an environment variable, not in code.

Quick fix: move every secret to a .env file. Add .env to your .gitignore. Rotate any secret that ever lived in a commit — even if you delete it later, it's in git history forever (GitGuardian, 2024 secrets report).

2. Check every database query for raw string interpolation

Search your code for the SQL keywords SELECT, INSERT, UPDATE, and DELETE. For each one, look at how the values come into the query.

Dangerous pattern:

const q = `SELECT * FROM users WHERE email='${email}'`;

Safe pattern:

const q = 'SELECT * FROM users WHERE email=$1';
db.query(q, [email]);

If you see the dangerous pattern anywhere, an attacker can take over the entire database by submitting ' OR 1=1 -- into that field. This is SQL injection — the #3 most common web vulnerability, and AI tools generate it constantly because the template-literal syntax is clean and reads naturally.

3. Confirm every protected route checks who's logged in

Find every route in your app that should require login (anything in /account, /dashboard, /api/admin, etc). For each one, find the first 5 lines of code that run. There should be an explicit check like if (!session) return unauthorized() or middleware that gates the route.

AI commonly generates routes that look right but skip the auth check entirely. The route works because you are logged in when you test. But a random visitor can hit the same URL and access everything.

4. Sanitize anything that touches a file path or a shell

If your app reads files based on a URL parameter — like /api/file?name=avatar.png — verify the filename doesn't contain .. or absolute paths. Otherwise an attacker can request ../../../etc/passwd and read your server's secrets.

If your app shells out to run commands, never interpolate user input into the command string. Use the array-arg version of exec, spawn, or execFile.

What's the fastest way to do all four checks?

Manually, it takes about an hour for a small app. Automated, it takes 30 seconds: connect your GitHub repo to Prev-ent and get a plain-English report showing every vulnerability, the exact attack scenario, and the fixed code you can paste back in.

Prev-ent is built specifically for AI-generated code — it knows the patterns Cursor, Copilot, and Claude tend to produce, and it explains every finding in language a non-security-engineer can act on.

What if I find vulnerabilities?

Don't panic. The fix is usually 1–3 lines of code per finding. Do these in order:

Rotate any exposed secrets first. Anything that was in a commit needs to be rotated, not just removed.
Fix SQL injection and auth bypass next. These are the most exploitable.
Then everything else.

If you're using Prev-ent, click Apply fix on each vulnerability — it opens a PR on your repo with the corrected code. Review the PR carefully, then merge.

FAQ

Is AI-generated code secure?

Not by default. Studies show AI coding assistants introduce security vulnerabilities in roughly 40% of generated code (Stanford, 2023; Snyk, 2024). The code typically works correctly but contains exploitable patterns like SQL injection, hardcoded secrets, and missing authorization checks.

How do I check if my AI-built app is secure?

Run an automated scanner like Prev-ent that's tuned for AI code patterns, then manually verify the four highest-risk areas: authentication flows, database queries, environment variables, and user input handling.

What are the biggest security risks in AI-generated code?

Hardcoded API keys and secrets, SQL injection via template literals, missing authorization checks on protected routes, and unsanitized user input flowing into shell or query strings.

Can I use Snyk or Semgrep instead?

Yes — they're solid tools, but they're built for traditional code review with deep configuration. Prev-ent is built specifically for AI-generated code patterns and explains vulnerabilities in plain English with concrete attack examples.

How often should I scan my app?

Every time you ship a meaningful feature, especially if you used AI to write any backend or auth code. For active projects: weekly minimum.

Will scanning my repo share my code with third parties?

Prev-ent reads your code through GitHub's API using your OAuth token. The code is sent to Claude (Anthropic) for analysis. Anthropic does not train on data submitted via the API. No code is stored beyond the active scan.