Question 1

What does VibeScan check?

Accepted Answer

VibeScan checks for exposed API keys and secrets in client-side JavaScript, misconfigured Supabase Row Level Security policies, missing or weak HTTP security headers, insecure authentication patterns, known CVEs in npm dependencies via OSV, and email security (SPF and DMARC). It scans the public surface of your deployed app without requiring GitHub access.

Question 2

Do I need to give VibeScan access to my GitHub repository?

Accepted Answer

No. VibeScan scans the public surface of your deployed app — the same URLs and JavaScript bundles an attacker would see. You paste your app URL and check a box confirming you own it. No OAuth, no repository access, no code upload.

Question 3

What AI-built app platforms does VibeScan support?

Accepted Answer

VibeScan works with apps built using any AI coding tool including Lovable, Bolt, Cursor, Claude, v0, Replit, and Windsurf. It also works with hand-written apps. If your app runs on a public URL with a Supabase backend, VibeScan can check its security surface.

Question 4

How long does a VibeScan security scan take?

Accepted Answer

A free URL scan completes in about 30 seconds. The scan fetches your app, inspects the JavaScript bundle for exposed secrets, probes your Supabase public surface, and checks HTTP response headers — all in parallel.

Question 5

Is VibeScan free?

Accepted Answer

The URL scan is free with no account required. It returns a prioritized list of findings. A paid report ($9) includes fix prompts you can paste back into your AI builder, detailed remediation steps, and the ability to re-scan after fixing issues.

Is your AI-built appactually secure?

Live URL scan

Traditional scanners

VibeScan URL Scan