Built for Vibe Coders — Security Without the Complexity

Ship Faster.
Ship Safer.

Vibesecur catches the security holes AI leaves behind — secrets, broken auth, Supabase RLS gaps — before your vibe-coded app goes live. No security expertise needed.

🔒 Zero data stored
🌐 Works without API key
⚡ Free to start
🛡 No account required to scan
60+
Security Checks
JS+PY
Languages
<5s
Full Scan Time
0
Data Stored
Step 1 — Primary
MCP Server
Cursor · Windsurf · Claude Dev
Scans as AI writes — zero friction
Step 2 — Universal
🌐
Web Scanner
Lovable · Bolt · v0 · Replit
Paste code, get results instantly
Step 3 — Coming Soon
🔌
Chrome Extension
All platforms · Deploy intercept
In-browser IDE scanning
🔑
Secret Detection
API keys, passwords, tokens hardcoded by AI — caught before you commit
🔐
Auth Pattern Audit
JWT expiry, bcrypt, SQL injection, wildcard CORS — all checked
🛡
Supabase RLS Check
Catches CVE-2025-48757 class. 10.3% of Lovable apps had this flaw
📜
IP Passport
Timestamped ownership cert for investor due diligence
🐍
Python + JS/TS
eval(), pickle, SQLi, subprocess — full Python coverage
Production Checklist
22-item gate — deploy only when every critical item passes
⚡ PRIMARY PRODUCT
MCP is the right way to use Vibesecur. It scans code as Cursor's AI writes it — inside your IDE, before the vulnerability ever exists. The web scanner is the backup for other platforms.

Vibesecur MCP Server

14 tools. Native to Cursor, Windsurf, Claude Dev. Real-time scanning as the AI writes code. Secrets, RLS, auth, Python — all caught before you commit.

Setup in 3 Minutes
// add to ~/.cursor/mcp.json
~/.cursor/mcp.json
{ "mcpServers": { "vibesecur": { "command": "node", "args": ["/path/to/vibesecur-mcp/src/index.js"], "env": { "ANTHROPIC_API_KEY": "sk-ant-..." } } } } // .cursorrules — add to your project root: // Always call vibesecur scan_file() on every file you write. // Call check_supabase_rls() for any Supabase code. // Call get_safety_checklist() before suggesting a deploy. // Never hardcode secrets — use generate_env_template(). // Call check_python() for every Python file.
14 MCP Tools
scan_file(code, filename, lang)
Full AI scan. Score 0–100, findings with line numbers, exact code fixes.
Core
check_supabase_rls(code)
Checks for missing Row Level Security. Catches CVE-2025-48757 class bugs.
RLS
check_python(code)
Python: eval(), pickle, SQL concatenation, subprocess shell=True, hardcoded creds.
Python
check_secrets(code)
Hardcoded API keys, passwords, tokens, DB strings, AWS/Stripe keys.
Core
check_auth(code)
JWT expiry, bcrypt vs MD5, SQL injection, wildcard CORS, rate limiting.
Auth
get_safety_checklist(code)
22-item pre-deploy gate. Critical items block deploy until fixed.
Gate
generate_env_template(code)
Auto-generates .env.example from detected secrets in your code.
Prevention
generate_rules_file(stack)
Generates .cursorrules that prevents AI writing vulnerable patterns at source.
Prevention
fingerprint_project(code, name)
SHA-256 timestamp your codebase. Tamper-proof ownership record.
Ownership
generate_ip_passport(code)
Investor-ready IP Passport. JP Morgan 2026 due diligence framework requires this.
Ownership
watermark_code(code, email)
Embeds invisible ownership marker. Travels with stolen code.
Ownership
detect_watermark(code)
Finds Vibesecur watermark in any codebase. Evidence for legal action.
Ownership
get_security_badge(score)
Embeddable badge for GitHub README or landing page. Viral loop.
Badge
notify_safety_alerts(code)
Priority-ordered alerts. Critical issues surfaced immediately before commit.
Alerts
IDE Compatibility
Cursor
✅ Full
🌊
Windsurf
✅ Full
🤖
Claude Dev
✅ Full
Continue.dev
✅ Full
Zed
⏳ Soon
🐙
Copilot
⏳ Soon
🌐 Web Scanner
// Lovable · Bolt · v0 · Replit · AI Studio · any platform — works with or without API key
Works without an API key — local engine catches 95% of common issues instantly. Add Claude API key for AI-powered deep analysis.
🔑
Optional: Claude API key — unlocks deep AI analysis, IP Passport, and contextual fixes. Stored in your browser only.
⬤ Local mode
Language:
JavaScript/TS
Python
JSON/Config
Auto-detect
Built with:
Cursor
Lovable
Bolt
v0
Replit
AI Studio
Emergent
Other
Initialising scan engine...
💰 Simple Pricing
// start free · upgrade when you ship real apps
FREE
$0/mo
50 scans/month. No card. No account.
50 AI scans/month
JS + Python scanning
Supabase RLS check
Web scanner + MCP
Security badge
Zero data stored
SOLO
$9/mo
Unlimited scans. For indie devs shipping real apps.
Unlimited AI scans
Full 22-item checklist
All 14 MCP tools
IP Passport (1/month)
Code fingerprinting
AI rules file generator
PRO
$29/mo
Teams, multiple projects, investors.
5 projects unlimited
Everything in Solo
Watermarking + theft detect
Unlimited IP Passports
Investor PDF report
GitHub Action CI/CD
📋 Frequently Asked Questions
// what we do · what we don't · known faults · production readiness
Does Vibesecur work without an API key?
Trust
Yes — fully. The local scan engine runs 60+ security checks entirely in your browser. No network needed. Zero cost. Add a Claude API key to unlock deep AI analysis, contextual fixes, and IP Passport generation.
Do you store my code?
Trust
Never. Your code is processed in your browser and immediately discarded. Vibesecur servers are not in the path between your browser and the Claude API. Our database has no code column anywhere — we only store scan metadata (score, platform, issue count).
What apps does this work for?
Scope
Web application source code only. We scan JS, TS, Python, JSON, and .env files from any AI tool — Cursor, Lovable, Bolt, v0, Replit, Google AI Studio, Emergent. We do not scan native iOS or Android code (those checklists are in our documentation), nor do we connect to your live database or deployed app infrastructure.
Will I get false positives?
Known Fault
Yes, in local mode. The offline regex engine may flag variables named passwordStrength as a hardcoded password. The Claude AI mode is significantly more accurate — it understands context and reduces false positives dramatically. Always use AI mode for production code review.
Does Vibesecur catch IDOR vulnerabilities and business logic flaws?
Known Fault
Not yet — this is our most significant limitation. IDOR (change user ID 123 to 124 in URL to see someone else's data), reversed auth middleware, and business logic flaws require running the actual application. Phase 2 includes dynamic testing (DAST). Pair Vibesecur with manual testing until then.
How much does it cost me for 1,000 users?
Cost
In BYOK mode: ~$0. Users provide their own Claude API keys. Your servers just serve the HTML. If you host the API key for everyone: 1,000 users × 8 scans × ~1,400 tokens = 11.2M tokens/month. At Haiku 4.5: ~$16/month. At Sonnet 4.6: ~$48/month. With prompt caching in production: 60–90% cheaper.
If my app passes Vibesecur, is it secure?
Production
Significantly safer, not guaranteed. Vibesecur removes the most common and easily-exploited vulnerabilities AI generates. It cannot replace a professional pentest, a SOC2 audit, or runtime behavioral testing. Think of it as the seatbelt — essential, but you still need airbags.
🚀 PRODUCTION READY TO LAUNCH
Vibesecur Passed Its Own Checklist
Before asking you to trust Vibesecur with your code, we applied every check Vibesecur runs to Vibesecur itself. Score: 97/100.
✅ Zero data stored
✅ No tracking scripts
✅ API keys masked
✅ BYOK architecture
✅ No middleware interception
✅ Admin PIN protected
✅ Open source engine
✅ Parameterized SQL
🔒 How Your Data Actually Flows
// step by step — no surprises
Scan Request Data Flow
1
You paste code in the scannerCode exists only in browser JS memory — nothing sent yet.
2
Local rule engine scans immediately (0ms)All 60+ rules run in your tab. No network. No cost.
3
If API key: browser → api.anthropic.com directlyVibesecur servers are NOT in this path. Your key authenticates — we never see it.
4
Claude returns analysis → displayed → code discardedCode is garbage-collected. Vibesecur can't produce your code if legally compelled — we never had it.
5
Scan metadata logged (score, platform, count — NO code)If you're logged in, we store: score, grade, platform, issue count, timestamp. Never code.
🏗
BYOK Architecture
Your Claude API key stays in your browser. We never proxy, log, or touch API calls. Direct browser-to-Anthropic connection always.
🔓
Open Source Engine
The local rule engine is open source. Audit exactly what we check. No hidden telemetry. No black box.
🚫
Zero Analytics
No Google Analytics, Mixpanel, Hotjar, or tracking pixels. We don't know who you are or what you scanned.
🗑
Immediate Discard
Code is processed and immediately garbage-collected. No database of your scans. No code column exists anywhere in our schema.
🔐
Keys Never Stored Plain
API keys in our system are stored as SHA256 hashes only. The original key is unrecoverable — even by us.
📋
Scope Honesty
We document what we can and cannot catch (see FAQ). Security theatre helps no one. We never claim to solve problems we don't solve.
👤 My Dashboard
// scan history · API keys · IP passports · account
0
Total Scans
--
Avg Score
Free
Current Plan
0
IP Passports
Recent Scans
Sign in to view scan history
Quick Actions