VibeCheckv0.1
Scan your app
Map your app's attack surface

Find the leaks
before your users do.

Point VibeCheck at a live URL or a read-only GitHub repo. It maps how your app is wired and finds exposed keys, open databases and unprotected endpoints — passively, read-only, with plain GETs. No attacks, no writes, no surprises.

Scan your app — free See the checks
Passive & read-only No login, no agent ~30s per scan
attack-surface.map — my-saas.app scanning
client
Browser bundle
react / vite
edge
API routes
/api/*
data
Supabase DB
postgres
files
Storage
buckets
Critical
service_role key in client bundle
Critical
users table: RLS off
Medium
/api/login: no rate limit
Medium
CORS: * + credentials
C
64/100
Needs work
Target https://my-saas.app
2 critical 1 high 4 medium 3 low
The detectors

What we actually look for.

Every check is a passive detector that reads what your app already exposes. No payloads, no fuzzing — just the questions a curious stranger would ask in the first five minutes.

Check
What it means
Severity
Exposed secrets
secrets.client-bundle / git-history
A service_role key, API token or private key shipped in your JS bundle or left in git log. Full read/write to your backend for anyone who opens DevTools.
Critical
Open database
database.rls-off / firestore-open
Supabase tables with RLS disabled, an using (true) policy, or wide-open Firestore rules — anyone can read or rewrite every row.
Critical
Unprotected endpoints
api-auth.no-check
An /api/* route that reads or writes data without checking who's calling. Broken access control — OWASP A01.
High
SQL / NoSQL injection
injection.unsanitized
User input concatenated straight into a query. Lets an attacker read tables they shouldn't, or drop them.
High
Security headers & CORS
headers.csp / transport.cors
Missing CSP / HSTS, or Access-Control-Allow-Origin: * paired with credentials — any site can ride your users' sessions.
Medium
Public storage buckets
storage.public-bucket
A Supabase or S3 bucket set to public when it holds private uploads — invoices, IDs, user files indexed and downloadable.
Medium
No rate limiting
rate-limit.absent
Login, signup or send-email routes with no throttle. Open to credential stuffing and runaway cost on metered APIs.
Medium
Clean checks are reported too, as passed — so the grade shows what you got right, not just what's broken.
Three steps, zero risk

Point it. Scan it. Fix it.

The scanner is a pure read-only observer. It collects evidence, grades it deterministically, and hands you the exact prompt to paste into your editor.

01

Give it a URL or a repo

Drop in your live domain, or connect a read-only GitHub repo. Nothing is installed and we never ask for write access.

input: url | github (read-only)
02

Passive scan, no attacks

VibeCheck makes plain GET requests and reads what's public — headers, bundles, source, rules. No payloads, no writes, no brute force. ~30 seconds.

method: read-only GET · no mutations
03

Grade + copy-paste fixes

You get an A–F grade, a 0–100 score, and a ready-to-paste fix prompt for every finding — written for Cursor, Claude or whatever you build with.

output: grade · score · fix prompts
fix-prompt · secrets.client-bundle copy 
# Paste into Cursor / Claude Code

My Vite app ships the Supabase service_role key
in the client bundle (found in assets/index-4f1.js).

Fix it:
1. Remove the service_role key from all client code
   and from VITE_* env vars (they're public).
2. Move every write that needs it into a server
   route or Edge Function; keep only the anon key
   on the client.
3. Rotate the leaked key in the Supabase dashboard
   — assume it is already compromised.

Show me the exact diffs for my stack.
Real finding from the example scan above — critical, capped the grade at F until fixed.
Wear your grade

One badge. Bragging rights or a wake-up call.

Every scan gives you an embeddable two-part badge. Drop the markdown in your README and it re-renders your live grade — a quiet signal that you actually checked.

README.md copy 
[![VibeCheck](https://vibecheck.dev/badge/my-saas.app.svg)](https://vibecheck.dev/r/my-saas.app)
// renders inline, scales on retina, recolors with your grade
vibecheck A vibecheck C vibecheck F
Grades run A → F · the green A is the only one worth framing.
Pricing

Start free. Pay once when it's serious.

The free scan tells you if you're leaking. Pay only when you want every finding, the fixes, and a paper trail.

Free
$0
One scan, the honest headline.
  • A–F grade + 0–100 score
  • Top 3 findings, in full
  • Embeddable grade badge
  • Remaining findings hidden
Run a free scan
Full auditone-time
$19once
Everything we found, and how to fix it.
  • All findings, every severity
  • Copy-paste fix prompt per issue
  • PDF report to share or file
  • Passed-checks evidence list
Get the full audit
Monitoringsubscription
$9/mo
Catch the regression you'll ship next week.
  • Re-scan on every deploy
  • Alert when the grade drops
  • Grade trend over time
  • Full audit included each scan
Start monitoring

Done-for-you manual audit

A human reviews your app by hand, beyond the automated checks.

$49–99 · per app Email for a manual audit