Security audit for AI-coded apps. Claude Code, Codex, Cursor.

security scanner for apps written by ai agents. claude code, codex, cursor agent mode, aider. 124 patterns. 60 seconds. owasp top 10 + llm top 10. the fix, one click.

your code
looks fine.

scroll

it isn't.

claude code wrote it in your terminal.
you accepted every diff.

you asked the agent if it was secure and it said yes.

it said yes because you wanted a yes.

we looked inside
100+ vibe-coded apps.

all of them had the same three wounds. rls wide open. secrets in the client. prompts anyone can hijack.

this is your app.

every dot, a function. every line, a call. every color, a wound.

[CRITICAL] supabase rls disabled on users table
[CRITICAL] openai_api_key exposed in /api/chat response
[CRITICAL] stripe webhook accepts unsigned payloads
[HIGH ] no rate limit on /api/generate
[HIGH ] auth cookie not httpOnly
[HIGH ] user_id trusted from client payload
[MED ] error messages leak stack traces
[MED ] no csrf protection on mutations

14 critical.
37 high.
82 medium.

this is from the last 100 audits. yours will vary. not by much.

now you know
what's breathing.

knowing is 80% of fixing. the other 20% you apply as a PR in one click. Claude writes it.

38
pages of your repo
140
wounds mapped
5–7 d
scan complete

want to see yours?

run a free scan talk to us first

free scan, 60 seconds, no card. €59/month the day you want the fixes.

Narrative transcript

Act 1 — Arrival. Your code looks fine.

Act 2 — Recognition. It is not. You built it with Lovable. You shipped it to Stripe. There is something breathing in your code. Most of it is harmless. Some of it will cost you money.

Act 3 — Fracture. We looked inside 100 plus vibe-coded apps. Every single one had the same three wounds. RLS misconfigured. Secrets in client. Prompts you can hijack.

Act 4 — Revelation. This is your app. Every dot is a function. Every line is a call. Every color, a finding.

Act 5 — Diagnosis. Fourteen critical. Thirty-seven high. Eighty-two medium. This is from the last one hundred audits. Yours will differ — but not by much.

Act 6 — Healing. Now you know what is breathing. Knowing is eighty percent of fixing. We deliver the map. We can also walk you through the repair.

Act 7 — Decision. Ready to see yours? Run a free scan first. The plan starts at fifty-nine euros a month and you cancel anytime. Free scan shows the tip — no card, no signup.

// for devs shipping vibe-coded apps

Your app is in production.
Nobody has audited it.

You don't need another generic Snyk. You need to know what's broken in WHAT YOU JUST SHIPPED with Claude Code, Cursor, Codex or Lovable. That's what we scan.

SCAN MY REPO See the benchmark vs Semgrep

60 seconds · 124 patterns · OWASP Top 10 + LLM Top 10 · auto-fix as Pull Request

No signup. 32s avg. Where Semgrep finds 0, we find 10.

three things we don't do

[01]

this isn't pentesting.

if what you want is a three-week red team with a guy in a hoodie, we'll send you elsewhere — straight to your face, and for free.

[02]

we don't promise "secure forever".

code rots. yours, mine, google's. our job is to show you what's broken today and ping you the day it breaks again tomorrow. the rest is marketing.

[03]

we don't speak compliance.

no soc 2, no iso, no investor-deck tab. we speak rls, webhooks, api keys and prompt injection — and the exact line where your agent forgot to validate input. leave the rest to the consultancy that bills by the folder.

what we audit

six places your app is
already bleeding. 124 patterns watching every one.

  • rls disabled on users / profiles / subscriptions
  • service_role key shipped in the client bundle
  • role claims read from JWT without verifying signature
  • NEXT_PUBLIC_ prefix on keys that must stay server-only
  • provider keys echoed back in error bodies
  • old commits with rotated-but-not-revoked secrets
  • raw user input concatenated into system prompts
  • no budget cap on /api/ai — one bot drains your account
  • tool-use responses leak internal ids
  • webhook accepts unsigned payloads (anyone grants access)
  • no idempotency key — double charge or double entitlement
  • race between checkout.completed and subscription.updated
  • server actions trusting client-shaped payloads
  • raw sql concatenation in edge functions
  • user markdown rendered without sanitization
  • no rate limit on /api/ai = uncapped invoice
  • stack traces returned to anonymous clients
  • no alerts on 5xx spikes or key rotation

how it works

four steps. zero theatre.

  1. ONE

    paste the repo url.

    public or private, doesn't matter. github app connected in one click. no meeting, no sales call, no forty-question intake form. this isn't private banking.

    time: 30 SEC

  2. TWO

    the eye opens it up.

    124 patterns running at once. owasp top 10 covered end to end (10/10). owasp llm top 10 covered end to end too (10/10) — direct and indirect prompt injection, mcp tool poisoning, langchain cve-2025-68664, rag poisoning, slopsquatting, sensitive info disclosure, misinformation, denial of wallet on llm endpoints, agent instruction file poisoning (.cursorrules / CLAUDE.md / AGENTS.md). everything your agent wrote without you reading it.

    time: 60 SEC

  3. THREE

    every wound with its fix beside it.

    file, line, snippet, severity, cwe — and a diff written by claude you apply as a pr in one click. don't get something? ask the ai concierge. 24/7. answers the way a friend would.

    time: INSTANT

  4. FOUR

    every commit, it looks again.

    you keep vibe-coding. we keep watching. every push, re-scanned. every pr you open, commented on its own. drift surfaces before it hurts. the eye doesn't blink.

    time: EVERY PUSH

public benchmark

where semgrep finds 0, we find 21.

vercel/ai-chatbot · reproducible benchmark · public data.

repoVCEyeSemgrepSnyk
vercel/ai-chatbot2102
ItzCrazyKns/Perplexica44115
OWASP/NodeGoat251527
juice-shop/juice-shop52254
vercel/commerce1114
supabase/supabase-js94122

vceye runs in 60 seconds. semgrep oss, snyk code and codeql are run with default rules on the same commits. last fresh run: 2026-04-28.

extended sample (april 2026): 25 random ai-coded repos, 4 scanners. vceye leads in 8 of 25 (32%) — highest win-rate. snyk wins on total volume by cve database breadth. codeant, gitar, greptile and korbit are pr-review bots — different category.

see full benchmark →

pricing

one plan.
every fix included.

free scan to look. €59/month to fix. no enterprise tier, no demo call, no "contact sales". leave the welfare-state vibe for another subscription.

free scan
0

no signup. no card.

see what's bleeding.

  • 60 seconds on any public repo
  • top 2 findings with severity and pattern id
  • 124 patterns · owasp top 10 (10/10) · owasp llm top 10 (10/10)
  • no line, no file, no fix
  • scan as much as you want. no limit.
run free scan
starter
19/ month

or €182/year. save €46.

one repo, line and proof. no auto-fix.

  • 1 repo with continuous monitoring
  • unlimited scans. file, line, and pattern id.
  • 124 patterns · owasp top 10 + llm top 10
  • see the fix as a diff (no auto-pr)
  • every commit reviewed via push webhook
  • ai concierge — 100 messages/month
  • leave whenever. no contract.
start €19/month
subscriptionthe one people buy
59/ month

or €566/year. save €142.

the bug that takes your business down, caught before you do.

  • up to 3 repos watched without lifting a finger.
  • unlimited audits. file, line, and the proof.
  • claude writes the fix. you just read.
  • the fix lands as a pr. one click, in.
  • every commit reviewed. you sleep, it scans.
  • every pr commented before anyone opens it.
  • your last 100 commits, gone through one by one.
  • the library about to blow up, flagged today.
  • user data, traced to where it ends up.
  • questions at 3am, ai answers right away.
  • leave whenever. no contract, no drama.
start €59/month
eu-based · gdpr-ready
scan in memory · logs purged in 24h
we never train on your code. ever.

questions

what founders
ask first.

Claude Code wrote it and I never read it. Do you really know what breaks in these agents?+

Yes. We've looked inside 100+ apps. Claude Code, Codex, Cursor agent mode, Aider. Every agent has its default patterns and its default footguns. How do you know? By looking. One by one. The scanner knows them one by one. There you go.

Will you judge my code?+

No. Look. Vibe-coded apps ship fast and fix later. That's the deal. The kind that looks down on you because "you should've known" — not our crowd. Our job is to tell you what's dangerous now. Plain language. No theatre.

Can't I just run Snyk or GitHub Dependabot?+

Look. In a public benchmark against Semgrep OSS, on vercel/ai-chatbot, we found 21. They found zero. Zero, seriously. You can reproduce it yourself. Why does that happen? Well, snyk and dependabot catch dependency cves, and not much more. The open rls, the api key in the client, the unsigned webhook, the prompt injection — they don't see it. That's where we live. Are we agreed? We are.

What if I don't have a real engineering team?+

Then you're our exact customer. Every finding comes with file, line, snippet and a diff written by claude. Click apply as pr and review the change. What's cwe-79? Ask the concierge and it answers the way a friend would, not the way an rfc would. You don't need a security background to act. You need a repo and the will to sleep at night.

Is this pentesting?+

No. Pentesting is a red-team engagement with explicit authorization and deep exploitation. This is production-readiness. The 20-30 patterns that break 70-80% of vibe-coded apps. Backed by 120 real patterns covering 10/10 OWASP Top 10 + 10/10 OWASP LLM Top 10 2025.

Will you sign an NDA?+

Yes. Standard mutual NDA, we send it. Also we don't store your code. Scans run in memory. Logs are purged in 24h. We never train on your code. Ever.

I fix things and new ones appear. What now?+

Nothing. Every commit you push gets re-scanned by itself. Every PR you open gets a comment before merge. New findings show up there, before they break anything. Drift is detected on its own as long as your subscription is alive.

How do I cancel?+

From billing. One click. Stays active until the end of the current period. No questions. No "before you go, look at this". The yearly plan can be refunded pro-rata in the first 14 days.

I need a human to actually fix something. Do you?+

Not as a standard tier. We kept the product simple on purpose. If you have a specific incident or want a senior to walk you through the report, write us. We figure it out case by case. Sometimes we say no — that with the plan you already have what you need. We're weird like that. A bit illiterate at upselling extras.

Do you actually catch the AI-specific attacks? Prompt injection and that.+

Yes. 20 patterns dedicated to the llm era. Direct prompt injection. Indirect, via scraped content. System prompt leakage. LangChain CVE-2025-68664 (CVSS 9.3, RCE). MCP tool poisoning from Invariant Labs. RAG poisoning. Slopsquatting of hallucinated packages. Sensitive info disclosure via unscoped agent tools. Misinformation when LLM output flows to DB or payments without verification. Denial of wallet on llm endpoints without rate-limit. And as of today: agent instruction file poisoning. If someone slips <IMPORTANT> into your .cursorrules or invisible characters into your CLAUDE.md, we see it. Nobody else covers that category. We invented it while we wait for owasp to add it. We cover 10 out of 10 in OWASP LLM Top 10 2025. The whole house.

you saw what it does.

now show us yours.

where Semgrep finds 0, we find 21. vercel/ai-chatbot. reproducible.

FREE SCAN SEE PRICING

60 seconds. no card. no signup. 124 patterns. owasp top 10 + llm top 10 covered. €59/month the day you want the fixes. or not. you'll keep vibe-coding either way, but you'll know what's breathing in there.