New Now scanning · Lovable · Replit · Bolt · v0

Your vibe-coded app probably has security holes. We find them. We fix them.

VibeDefend watches your Lovable, Replit, Bolt, or v0 app for security problems and sends you a "fix this" message in plain English — with the fix already written. No security background required.

Install on GitHub See it work
Reads only repos you pick Code never persists Free first scan
github.com / you/your-app / pulls / 42
OPEN · OPENED BY VIBEDEFEND · 2 MIN AGO

Move Supabase service-role key out of the client

What's wrong

Your Supabase service-role key is shipped to every visitor's browser. Anyone can read or delete every row in your users table.

What I changed

Moved the key to a server-only env var. The browser now uses the safe anon key, which RLS will gate.

src/lib/supabase.ts
 1  import { createClient } from '@supabase/supabase-js'
 2  
 3- export const supabase = createClient(
 4-   "https://abc.supabase.co",
 5-   "eyJhbG...service_role..."  // ⚠ leaked
 6- )
 3+ export const supabase = createClient(
 4+   import.meta.env.VITE_SUPABASE_URL,
 5+   import.meta.env.VITE_SUPABASE_ANON_KEY
 6+ )
re-scan passed · 6 checks green · ready to merge Merge ✓
§ 01 · The big picture

Where VibeDefend sits in your stack.

Your app lives on GitHub. We're a GitHub app that watches it. When we find a problem, we send you a fix as a pull request. Nothing in your code changes until you click Merge.

YOUR GENERATORS Lovable react + supabase Replit Agent node + sqlite Bolt vite + typescript v0 next + tailwind push GITHUB your-app github.com/you/repo we watch VIBEDEFEND 1 · read your code 2 · we explain 3 · we write the fix 4 · double-check fix 5 · open pull request your code is never saved deleted after each scan VibeDefend AI tuned for vibe-coded apps fix as PR YOU APPROVE PR #42 · ready to merge ✓ tests passed ✓ fix verified Merge ✓
Your generators
Lovable
Replit
Bolt
v0
push
Your repo on GitHub

your-app

github.com/you/repo

we watch
VibeDefend
1 · read your code
2 · we explain
3 · we write the fix
4 · double-check fix
5 · open pull request
VibeDefend AI

tuned for vibe-coded apps

your code is never saved — deleted after each scan
fix as PR
You approve
PR #42 · ready to merge
✓ tests passed ✓ fix verified
Merge ✓
A We see only what you pick

You choose which repos we can read. We can't see anything else in your GitHub account. Ever.

B Your code is never saved

We read it, scan it, then delete it — every single time. Nothing about your code lives in our database.

C AI doesn't train on you

Anthropic's Claude API doesn't use your code to train models. Your code is yours.

§ 02 · Inside a scan

From your push to a finished fix — in about 10 seconds.

Here's what happens between the moment you save your work and the moment a "fix this" message appears in your repo. The middle part — that's all us.

VIBEDEFEND DOES THIS you push 0 s save your work we scan find security issues we explain in plain English we write the fix the patch itself we double-check fix actually works send PR we send it to you as a pull request you click Merge ✓ ~10 s later done

You push to GitHub

Save your work

0s
VIBEDEFEND DOES THIS

We scan your code

Find security issues

2s

We explain it

In plain English

2s

We write the fix

A tiny code change

3s

We double-check it

Fix must actually work

1s

We send it to you

As a pull request

1s

You click Merge ✓

Total time · ~10 seconds

0–1sYou push your code. VibeDefend gets notified by GitHub.
1–3sWe download a copy of your code and run ~30 security checks on it.
3–6sWe read each problem and write a one-sentence explanation you'll understand.
5–9sWe write the fix as a tiny code change — usually just a few lines.
9–10sWe re-run the scan on the fixed version. If it still fails — no PR. We never send broken fixes.
10s+You see a pull request in your repo. Your tests run first. You click Merge when ready.
§ 03 · Your part

What you have to do — basically nothing.

You connect us once. We do the rest in the background. The only time you'll touch anything is when you click "Merge" on a fix.

ONCE · 60 SECONDS
Connected to github.com/you
Watching your-app
   that's it — done

Connect VibeDefend to your app.

Click Install on GitHub, pick which apps you want us to watch, done. We never see anything you didn't pick.

WHEN WE FIND SOMETHING
2 min ago · in your repo
Hey, your Supabase key
   is showing in your app.

We send you a plain-English message.

You'll see a message in your repo that says "here's what's wrong, here's what could happen, here's the fix." Written like a human, not a security report.

YOU DECIDE
Your tests passed
Fix already written
   [ Merge ]

Click "Merge" if you want the fix.

Or don't — nothing in your app changes until you approve it. Your tests run first, so you'll know if anything breaks before you decide.

§ 04 · Why this matters

The generator made you an app.
It didn't make it safe.

45%
of AI-generated code ships with at least one serious security issue.
Stanford 2025 · Snyk State of Open Source 2026
Supabase database with 12,000 users — secret key was hiding inside the app for anyone to grab.
12kusers
Stripe secret key accidentally posted to a public GitHub repo on day 1 of a Lovable export.
D1day one
OpenAI account drained over a weekend after a leaked key was found by a bot.
$4.2kburned
Trend Micro · March 2026 issued an industry warning about vibe-coded apps leaking secrets.
!!flagged
§ 05 · The field guide

The stuff that actually gets indie founders in trouble.

30+ curated rules tuned for Lovable, Replit, Bolt, and v0 templates. Updated weekly as new patterns surface.

critical

Exposed API keys

Supabase, Stripe, OpenAI, Anthropic, AWS keys hiding in your client bundle.

createClient(url, "sk_live_AbcD...")
FREQUENCY~80%
critical

Open databases (RLS off)

Supabase tables with Row-Level Security off. Anyone on the internet can read everything.

ALTER TABLE users DISABLE RLS;
FREQUENCY~60%
high

Missing auth checks

API routes anyone on the internet can call without a session.

export async function GET(req) {
  // no auth check
  return users
}
FREQUENCY~45%
high

XSS via dangerouslySetInnerHTML

User input lands in your HTML unescaped — comment, bio, username.

<div dangerouslySetInnerHTML={{
   __html: userBio }} />
FREQUENCY~30%
medium

CORS wildcards

Allow-Origin: * + credentials = any site can act as your user.

cors({ origin: '*', credentials: true })
FREQUENCY~25%
critical

Committed .env files

Secrets pushed straight to GitHub. Removing alone doesn't help — git history keeps everything.

// .env (committed)
STRIPE_SECRET_KEY=sk_live_xxx
FREQUENCY~20%
medium

Logged auth tokens

Auth tokens printed in production browser console. Visible to dev tools, extensions, bots.

console.log("token:", jwtToken)
FREQUENCY~35%
+20 more

And 20+ more rules

Open redirects, prototype pollution, regex DoS, vulnerable deps, missing CSRF, SQL injection via raw queries.

// curated for Lovable, Replit,
// Bolt, v0 — updated weekly
COVERAGEvaries

Rules are tuned for your stack — not generic enterprise noise. Don't see one you'd want? Tell us.

§ 06 · Us vs them

Built for vibe-coders.
Not for security teams.

VibeDefend
Snyk · Semgrep · GitGuardian
Output reads like a human wrote it
CVSS · CVEs · JSON
Opens the fix PR for you
Reports only
Priced per project
$19/mo
$25–40 per dev
Setup time
2 minutes
Hours of YAML
Tuned for Lovable / Replit / Bolt / v0
Generic enterprise
§ 07 · Pricing

Pay per project — not per developer.

Free first scan, top-3 findings shown to free tier. No auto-fix without a paid plan.

Starter
$19
per project · per month

For one app you actually care about.

  • +1 project
  • +Scans on every push
  • +Auto-fix pull requests
  • +Email alerts
Start free scan →
Most popular
Pro
$49
per project · per month

For one app that's making money.

  • +Everything in Starter
  • +Continuous URL monitoring
  • +Slack & Discord alerts
  • +Priority model for fixes
Start free scan →
Agency
$149
per month · flat

For builders shipping for clients.

  • +Up to 5 projects
  • +White-label PR comments
  • +Team seats
  • +Priority support
Talk to us →

Free forever · scan + top 3 findings · no auto-fix   ·   Annual prepay saves 20%

§ 08 · FAQ

What people actually ask.

Will VibeDefend break my app? +

No. Every patch must pass our scanner on the patched code before we open a PR. PRs are opened as drafts — your CI runs first. You merge, we don't.

Does it work if I didn't use Lovable, Replit, Bolt, or v0? +

Yes, but our rules are tuned for those stacks first. Plain Next.js + Supabase still gets value. A 200-file Rails monolith — not our target user yet.

Can I scan private repos? +

Yes, including on the free tier (1 repo). We never persist your code beyond a single scan — clone, scan, delete.

Do you train models on my code? +

No. We send snippets to Anthropic's Claude API to generate explanations and patches. Anthropic does not train on API traffic — your code never lands in a training set via us.

What if a finding is wrong? +

Reply /vd false-positive on the PR. We use it to tune our rules. False positives below 5% is a hard product goal.

What if Lovable / Replit / Bolt build this themselves? +

Possible. We're shipping first, getting good at this, and earning the brand with the persona. Worst case — you got a free year of scans while it lasted.

Find out what's in your repo.

Two minutes · No credit card · Free first scan

Install on GitHub