Best security scanners for vibe-coded apps

ZAP is the long-standing open-source DAST tool: point it at a running app and it spiders the site, fuzzes inputs and flags classic web vulnerabilities (injection, XSS, misconfigurations). The automated scan is a solid free baseline; the intercepting proxy lets you inspect and replay requests by hand when you want to dig in.

It’s generic rather than BaaS-aware, and the active scan can be noisy, so run it against staging or with care. But for a free, scriptable, CI-friendly scanner, nothing else open-source matches its breadth.

• Completely free and open source, with a CI-friendly baseline scan.
• Intercepting proxy is excellent for manual investigation.

A lot of risk in a vibe-coded app isn’t the prompt — it’s the dozens of npm packages the builder pulled in. Snyk scans your dependencies for known CVEs, your own code for risky patterns (SAST), and your containers and IaC, then opens fix PRs that bump to a safe version. It plugs into GitHub and your CI so it runs on every push.

It complements a runtime scanner rather than replacing one: Snyk sees your supply chain and source, a DAST tool sees the deployed behaviour. Run both.

• Automated fix pull requests for vulnerable dependencies.
• Catches supply-chain risk a runtime scan can’t see.

Secrets sprawl is the signature vibe-coding mistake: a Stripe sk_live_, a Supabase service_role or an SMTP password prefixed VITE_/NEXT_PUBLIC_ and shipped to every visitor, or committed straight into git history. GitGuardian monitors repositories and alerts on leaked credentials in real time; TruffleHog is an open-source scanner that walks code and history hunting for high-entropy strings and known key shapes — and can verify whether a found key is still live.

Pair one of these with a scanner that reads your deployed bundle. A secret can leak in the repo, in the build output, or both, and you want eyes on each path.

• TruffleHog can verify whether a leaked key is still active.
• GitGuardian watches history and new commits continuously.

Missing Content-Security-Policy, HSTS and X-Frame-Options are almost universal on freshly-shipped apps, and they’re the difference between a contained bug and a full account takeover. Both of these tools take a URL and return a letter grade with a checklist of exactly which headers to add — a thirty-second sanity check you can run before anything else.

They only see headers and TLS, so they’re a complement to a full scan rather than a substitute. But they’re free, instant, and the fixes are usually a few lines of config.

• Letter-grade output with a precise, copy-pasteable fix list.
• No signup — paste a URL and read the result.

If your app runs on Supabase, the dashboard already ships a security advisor that flags tables with Row-Level Security disabled, overly-permissive policies and exposed extensions. It’s the fastest way to catch the single most common critical issue in vibe-coded apps — a public table behind a public key — right where you’d fix it.

It checks configuration from the inside, so it won’t tell you whether an attacker can actually read data from outside (that’s what an external probe is for). Use it as your first stop, then confirm from an anonymous client.

• Lives in the dashboard, next to where you enable RLS.
• Flags the exact tables and policies that need attention.