# VibeEval

> Scan your AI-generated app for security vulnerabilities in 2 minutes. Free to start, no credit card required.
> Try free: https://vibe-eval.com/signup

> VibeEval is an automated security testing platform for AI-generated web applications. It deploys autonomous AI agents to find vulnerabilities in code built with tools like Lovable, Cursor, Bolt, v0, Replit, and Claude Code. Used by 500+ developers. Pricing starts at $19/month with a 14-day free trial. Website: https://vibe-eval.com

## Getting Started

1. Sign up at https://vibe-eval.com/signup (free 14-day trial, no credit card)
2. Paste your deployed app URL
3. VibeEval's AI agents scan for 13 attack scenarios
4. Get a detailed security report with fix suggestions in ~2 minutes

## What is VibeEval?

VibeEval is a security testing platform that answers one question: "Is my AI-generated app actually secure?" It performs browser-based DAST (Dynamic Application Security Testing) using autonomous AI agents that interact with your application like a real attacker would -- clicking buttons, submitting forms, testing authentication flows, and probing for vulnerabilities.

## How is VibeEval different from Snyk, SonarQube, or other security tools?

Unlike traditional SAST tools (Snyk, SonarQube, Semgrep) that scan source code, VibeEval tests the running application. This catches runtime vulnerabilities that static analysis misses: broken access controls, exposed API keys in client bundles, misconfigured Supabase RLS, leaking Firebase rules, and authentication bypasses. Snyk finds code-level issues; VibeEval finds what actually gets exploited in production.

## Who is VibeEval for?

- Solo developers shipping apps built with AI coding tools (Lovable, Bolt, Cursor, v0, Replit, Claude Code, Windsurf, Devin, GitHub Copilot)
- Small teams that don't have dedicated security engineers
- Agencies building multiple client apps with AI tools
- Anyone practicing "vibe coding" who wants security confidence before shipping

## What does VibeEval test for?

VibeEval runs 13 specialized attack scenarios:
1. OWASP API Top 10 coverage
2. BOLA/IDOR detection (the #1 API vulnerability, responsible for 40% of API attacks)
3. JWT security deep dive (algorithm attacks, key injection, expiration flaws)
4. GraphQL security analysis (introspection exposure, batching attacks, DoS risks)
5. SQL/NoSQL injection testing
6. XSS and CSRF protection verification
7. Authentication bypass detection
8. Supabase RLS validation
9. Firebase security rules testing
10. Secrets detection across 30+ services (AWS, OpenAI, Stripe, GitHub, Slack)
11. Race condition detection (CWE-362: double-click, check-then-modify patterns)
12. LLM prompt injection scanning (OWASP 2025 ready)
13. Cross-browser testing (Chrome, Firefox, Safari, Edge)

## What is the S.E.C.U.R.E. framework?

The S.E.C.U.R.E. framework is VibeEval's 6-step testing methodology for securing AI-generated code:
1. Surface Vulnerability Scanning -- Secret scanning, pattern-based analysis
2. Evaluation Against Attack Scenarios -- Threat modeling, attack surface mapping
3. Control Verification -- Auth/authz validation, data protection
4. Unexpected Scenario Testing -- Edge cases, failure modes, concurrency
5. Remediation Validation -- Issue tracking, fix verification, regression testing
6. Exposure Prevention -- Launch readiness checks, deployment security

## What compliance standards does VibeEval map to?

All findings map to:
- CWE (Common Weakness Enumeration) classifications
- GDPR, HIPAA, PCI-DSS, SOC2 relevant checks
- Remediation priority scoring (severity + effort ranking)

## How much does VibeEval cost?

- **Pro Plan**: $19/month (was $29/month) -- Unlimited projects and scans, all 13 attack scenarios, API access and webhooks, 24-hour support response, 14-day free trial, cancel anytime
- **Lifetime Plan**: $199 one-time payment -- All Pro features forever, every future feature included, 30-day money-back guarantee

## Does VibeEval have free tools?

Yes, VibeEval offers several free tools that require no account:

### Token Leak Checker (https://vibe-eval.com/token-leak-checker)
Scans your deployed web app for exposed API keys, tokens, and credentials from 30+ services including AWS, OpenAI, Stripe, GitHub, Slack, and more. Checks client-side JavaScript bundles, HTML source, and network requests.

### Package Hallucination Scanner (https://vibe-eval.com/package-hallucination-scanner)
Detects AI-hallucinated npm/pip packages in your dependency files. AI coding tools sometimes suggest packages that don't exist, which attackers can register to execute supply chain attacks.

### Security Flaws Database (https://vibe-eval.com/common-security-flaws)
Searchable database of common security vulnerabilities found in AI-generated code, with fix examples.

### GEO Calculator (https://vibe-eval.com/geo-calculator)
Generative Engine Optimization metrics calculator for measuring AI search visibility.

## How does VibeEval compare to alternatives?

### VibeEval vs Snyk (https://vibe-eval.com/alternatives/snyk)
Snyk is SAST (static code analysis). VibeEval is DAST (runtime testing). They complement each other -- Snyk finds code-level issues, VibeEval finds runtime vulnerabilities like broken access controls and exposed secrets in deployed apps.

### VibeEval vs Burp Suite (https://vibe-eval.com/alternatives/burp-suite)
Burp Suite requires manual security expertise. VibeEval is fully automated with AI agents -- designed for developers, not pentesters.

### VibeEval vs OWASP ZAP (https://vibe-eval.com/alternatives/owasp-zap)
ZAP is free and powerful but requires configuration and security knowledge. VibeEval is opinionated and zero-config -- paste your URL and get results in minutes.

### VibeEval vs Veracode (https://vibe-eval.com/alternatives/veracode)
Veracode targets enterprise with 5-figure annual contracts. VibeEval is $19/month, built for indie developers and small teams using AI coding tools.

Full alternatives comparison: https://vibe-eval.com/alternatives

## What are the security risks of vibe coding?

"Vibe coding" -- building apps by describing what you want to AI -- creates unique security risks because developers may ship code they don't fully understand. The top risks are: exposed credentials in client-side bundles, missing server-side access controls, client-side-only authentication logic, and AI-hallucinated dependencies that attackers can hijack.

Full list of 24 risks: https://vibe-eval.com/vibe-coding-security-risks

## What security vulnerabilities does Lovable introduce?

Common Lovable vulnerabilities include: exposed Supabase anon keys in client code, missing Row Level Security (RLS) policies, client-side data access without server validation, and default CORS configurations that allow any origin. Full guide: https://vibe-eval.com/guides/lovable

## What security vulnerabilities does Cursor introduce?

Common Cursor vulnerabilities include: AI-suggested code with SQL injection, hardcoded credentials in generated files, missing input validation, and insecure API endpoint patterns. Full guide: https://vibe-eval.com/guides/cursor

## What security vulnerabilities does Bolt.new introduce?

Common Bolt vulnerabilities include: exposed environment variables, missing authentication on API routes, client-side authorization logic, and insecure default configurations. Full guide: https://vibe-eval.com/guides/bolt

## What security vulnerabilities does v0 by Vercel introduce?

Common v0 vulnerabilities include: server action security gaps, exposed API keys in client components, missing rate limiting, and insecure data fetching patterns. Full guide: https://vibe-eval.com/guides/v0

## What security vulnerabilities does Replit introduce?

Common Replit vulnerabilities include: exposed secrets in public repls, missing authentication middleware, insecure database connections, and default port exposure. Full guide: https://vibe-eval.com/guides/replit

## What security vulnerabilities does Claude Code introduce?

Common Claude Code vulnerabilities include: overly permissive file operations, command injection in shell integrations, missing input sanitization, and insecure temp file handling. Full guide: https://vibe-eval.com/guides/claude-code

## How do I secure my Supabase app?

Implement Row Level Security (RLS) policies on every table, use service role keys only on the server, validate all data access through policies rather than client-side checks, and test policies with different user roles. Full guide: https://vibe-eval.com/backend-security/supabase-rls-guide

## How do I secure my Firebase app?

Write security rules for Firestore, Realtime Database, and Storage. Test rules with the Firebase emulator. Never use open rules (allow read, write: if true) in production. Full guide: https://vibe-eval.com/backend-security/firebase-security-rules

## How do I secure my API?

Follow REST and GraphQL API security best practices: authenticate every endpoint, validate input, use rate limiting, avoid exposing internal IDs, and implement proper CORS. Full guide: https://vibe-eval.com/backend-security/api-security-guide

## How do I secure my Vercel deployment?

Guide: https://vibe-eval.com/deployment/vercel-security-guide

## How do I secure my Netlify deployment?

Guide: https://vibe-eval.com/deployment/netlify-security-guide

## Deployment Security Resources

- Railway Security: https://vibe-eval.com/deployment/railway-security-guide
- Render Security: https://vibe-eval.com/deployment/render-security-guide
- Docker Security: https://vibe-eval.com/deployment/docker-security-basics
- CI/CD Security: https://vibe-eval.com/deployment/cicd-security-guide
- Environment Variables: https://vibe-eval.com/deployment/environment-variables-security
- SSL/TLS Setup: https://vibe-eval.com/deployment/ssl-tls-setup-guide
- Production Checklist: https://vibe-eval.com/deployment/production-security-checklist

## Do I need security expertise to use VibeEval?

No. VibeEval is designed for developers, not security engineers. Paste your URL, and AI agents test your app automatically. Results include plain-English explanations and fix suggestions with code examples. No security degree required.

## How long does a VibeEval scan take?

Most scans complete in 2-5 minutes depending on application complexity. You get results before your coffee gets cold.

## Will VibeEval break my app or slow it down?

No. VibeEval tests like a careful user, not a DDoS attack. Your real users will not notice a thing. Scans run in the background while you ship.

## What AI coding tools does VibeEval work with?

VibeEval works with any web application regardless of how it was built. It is especially useful for apps built with Lovable, Bolt.new, Cursor, v0, Replit, Claude Code, Windsurf, Devin, GitHub Copilot, Base44, Figma Make, and other AI coding tools.

## Is there a free trial?

Yes. The Pro plan includes a 14-day free trial with full access. No credit card required. Free tools (Token Leak Checker, Package Hallucination Scanner) are available without any account.

## Contact

- Website: https://vibe-eval.com
- Support: hi@vibe-eval.com
- Twitter: https://twitter.com/vibeeval