About
The proof layer between vibe-coded software and the real world.
VibeAudit (vibeaudit.ca) exists because AI-built apps ship faster than trust does. Founders build with Lovable, Cursor, Bolt, Replit, v0, and Claude Code in a weekend - then launch to real users with no way to show what was actually checked. VibeAudit turns that gap into something you can hold: a scan you can act on, a record you can sign, and a badge anyone can verify.
What VibeAudit is
Thorough Scan
Paste a public URL you are authorized to test. VibeAudit checks the deployed external surface - headers, CORS behavior, served secret-shaped strings, sensitive paths, cookie flags, TLS state, and browser-observed route metadata - with optional authorized probes.
Launch Files
A tamper-evident, cryptographically signed record of what you built and shipped, generated from redacted structural facts.
Supply-Chain Watch
Continuous monitoring of your dependencies against public advisory and malicious-package feeds. We email you the day a package you ship goes known-bad.
Launch Security Passes
A signed, shareable badge anyone can independently verify. Not a claim of being unhackable - a verifiable record of what was checked and when.
What the engine actually is
The scanner is deterministic: OpenGrep-based structural and dataflow analysis, dependency and lockfile inventory matched against public advisory feeds (OSV, GHSA), and light HTTP probes against surfaces you authorize. It is not an AI model, and we do not describe it as AI-powered. The AI-fix prompts in Launch Pass are pre-written prompts you paste into your own coding agent - Cursor, Claude Code, Lovable - to apply the fixes.
How we report results
Honesty is the product. Findings carry scope labels for what was actually observed. A clean result is reported as Clear in Verified Scope- never "secure", never "vulnerability-free". Surfaces we could not check are labeled Security Unverified. A VibeAudit result is launch evidence for a verified scope, not a penetration test and not a warranty.
Privacy stance
We do not want your source code. URL scans check your deployed public surface. Browser and CLI intake read code locally and export only redacted structural facts - paths, sizes, detector labels, line numbers - never raw source, snippets, or secret values. The site itself runs no third-party analytics.
Who is behind it
VibeAudit is independent and founder-run, built in Canada - which is also why prices are listed in both USD and CAD. Questions, findings disputes, or security reports: paul@vibeaudit.ca.
A note on the name: several unrelated products use names similar to ours. This VibeAudit lives at vibeaudit.ca, and everything we publish links back here. Launch Security Passes issued by us verify at vibeaudit.ca/verify - if a badge does not verify there, it is not ours.
