{"slug": "what-a-vibe-coding-security-scanner-can-and-cannot-tell-you", "title": "What a Vibe Coding Security Scanner Can (and Cannot) Tell You", "summary": "A developer discusses the capabilities and limitations of public security scanners for AI-built applications. The scanner can check deployed resources for missing headers, exposed source maps, and leaked secrets, but cannot assess authentication, authorization, or business logic. The developer recommends combining public scanning with source review, dependency scanning, and authenticated assessment for comprehensive security.", "body_md": "AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans.\n\nA public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable.\n\nThe useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?”\n\nA passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect:\n\nThese checks are valuable because they test the deployed result, not the configuration you intended to ship.\n\nFor example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token.\n\nThe deployed surface is where those mistakes become observable.\n\nA public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response.\n\nThis is where you can answer questions such as:\n\nPublic scanning and source review are complementary. One checks what actually shipped; the other checks logic that may not be externally visible.\n\nDependency scanners answer a different question again. They compare package manifests, lockfiles, containers, or software bills of materials against known vulnerability data.\n\nThat can identify a vulnerable library version, but it cannot prove that your custom authorization is correct or that your CDN is serving the headers you expected.\n\nFor AI-built applications, it is worth combining dependency scanning with a manual review of newly introduced packages. Generated code can add unnecessary libraries, outdated examples, or packages whose names were never verified.\n\nGitHub’s documentation on [secret scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) and the [OWASP Secure Coding with AI Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secure_Coding_with_AI_Cheat_Sheet.html) are useful starting points.\n\nThe deepest application risks often require test accounts and an agreed scope.\n\nAn authenticated assessment can compare user roles, tenant boundaries, protected workflows, payment states, and business-logic behavior. A public scanner should not attempt to log in, submit forms, bypass access controls, or simulate exploits without explicit authorization.\n\nIf your application handles payments, health information, private customer data, or privileged workflows, this layer is not optional.\n\nThis means an important browser-side mitigation was missing from the checked response. It does not prove that cross-site scripting is present.\n\nThe next step is to inventory required scripts, styles, frames, and connections, then introduce a restrictive policy in report-only mode before enforcement. Mozilla’s [HTTP Observatory](https://developer.mozilla.org/en-US/observatory) is also useful for reviewing header posture.\n\nA production source map can reveal original file names, source structure, and implementation details. That is an exposure signal, not automatically a security vulnerability.\n\nIf the map is not required publicly, disable it or upload it privately to your error-monitoring service.\n\nSome browser keys are intentionally public. Others, including service-role tokens and private credentials, are not.\n\nA scanner can identify and redact the pattern, but a human still needs to confirm the provider and privilege level. If the credential is private, rotate it and move it behind a server-side boundary.\n\nFor a small AI-built application, a reasonable minimum process is:\n\nI built [Check My Vibe](https://checkmyvibeapp.com/) as a free, no-account implementation of the first step. It checks a deliberately limited public surface and keeps its automated result separate from a 36-point manual checklist. It does not claim to replace source review, authenticated testing, or a professional assessment.\n\nThat boundary is the main thing I want builders to take away: security tools are most useful when their evidence and limitations are explicit.\n\nA scanner is a starting signal. A secure release still requires human judgment across the layers the scanner cannot see.", "url": "https://wpnews.pro/news/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you", "canonical_source": "https://dev.to/checkmyvibe/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you-l72", "published_at": "2026-07-15 06:38:46+00:00", "updated_at": "2026-07-15 07:00:27.567329+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools"], "entities": ["GitHub", "OWASP", "Mozilla", "HTTP Observatory"], "alternates": {"html": "https://wpnews.pro/news/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you", "markdown": "https://wpnews.pro/news/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you.md", "text": "https://wpnews.pro/news/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you.txt", "jsonld": "https://wpnews.pro/news/what-a-vibe-coding-security-scanner-can-and-cannot-tell-you.jsonld"}}