GetVouch — Security Scanner for AI-Generated and Human-Written Code
️<br>NOW SCANNING: Supabase RLS — the #1 Lovable vulnerability
v1.6.0 · Supply Chain Attack detection
Audit anything.<br>Fix everything.
Security scanning for AI-generated code, freelance projects, and indie products. Nine domains. Twenty-five secret patterns. Every finding ships with a copy-paste fix prompt for your AI tool.
Scan →
Try:<br>lovable/example-app<br>vercel/next.js<br>getvouch-ai/vouch-cli
GetVouch Scanner — running
/100
Clean — Safe to ship
No security issues detected across all 9 categories.
Download Full Report
Share on X
Got questions about your findings?
I’m Sufiyan — built GetVouch, ex-SOC analyst. DM me on X if you want help fixing any of these, or want a deeper review.
@its_sj13 →
24 security checks · 25 secret patterns · GitHub repos + live URLs · 0 accounts
GetVouch Security Report
$ scan https://github.com/lovable/example-app
Scanned in 2.3s · 47 files analyzed
72<br>VIBE SCORE
HIGH<br>OpenAI API key exposed<br>Fix →
HIGH<br>Missing CORS validation<br>Fix →
HIGH<br>IDOR in /api/users<br>Fix →
View full report ↗
AI Fix Prompt
DETECTS PATTERNS FROM 25+ PROVIDERS
OpenAI<br>Stripe<br>AWS<br>Firebase<br>MongoDB<br>Slack<br>GitHub<br>SendGrid<br>Anthropic<br>Twilio<br>Supabase<br>Vercel<br>Cloudflare<br>Discord<br>PayPal
OpenAI<br>Stripe<br>AWS<br>Firebase<br>MongoDB<br>Slack<br>GitHub<br>SendGrid<br>Anthropic<br>Twilio<br>Supabase<br>Vercel<br>Cloudflare<br>Discord<br>PayPal
WATCH IT WORK
From repo to security report in 60 seconds.
No upload. No OAuth. No account. Watch a real scan happen.
GetVouch Scanner
Security Assessment
72<br>VIBE SCORE
Critical
High
Medium
Low
OpenAI API key in src/config.js:14
Missing CORS validation
IDOR in /api/users/[id]
AI FIX PROMPT<br>Copy
SECURITY FIX NEEDED — OpenAI API key<br>found at src/config.js line 14
Step 1 — Revoke this key at:<br>platform.openai.com/api-keys
Step 2 — Add to .env:<br>OPENAI_API_KEY=your_new_key
Paste into Lovable, Cursor, Bolt, Replit, or Claude Code
23 SECURITY CHECKS
We catch what your AI tool ships.
Every scan covers 24 checks across GitHub repos and live URLs. Every finding includes a fix prompt for your AI tool.
GitHub Repository Scanning
Exposed Secrets
Detects 25 key types: OpenAI, Stripe, AWS, Firebase, JWT, private keys, and more.
OPENAI_API_KEY = "sk-proj-aB3..." // ⚠ exposed
Client-Side Auth
Catches auth checks that run only in the browser — bypassable in 5 seconds with DevTools.
if (user.isAdmin) { // ⚠ trust the client?
SQL Injection
Finds raw SQL string concatenation with user input — the oldest trick in the book, still common.
"SELECT * FROM users WHERE id=" + req.id
CORS Misconfiguration
Spots wildcard origins and credentials misuse — the silent backdoor of most APIs.
cors({ origin: "*", credentials: true })
Environment Safety
Confirms .env files are properly gitignored and secrets aren’t committed to your repo history.
.env // ⚠ not in .gitignore
Input Validation
Identifies endpoints accepting user input without schema validation — the entry point for most attacks.
app.post("/api", (req) => save(req.body))
IDOR Vulnerabilities
Catches code that fetches resources by user-controlled ID without authorization checks.
User.findById(req.params.id)
Dependency Issues
Flags localhost URLs, hardcoded paths, and config that breaks the moment you ship to production.
fetch("http://localhost:3000/api")
Outdated Packages
Scans package.json for known-vulnerable versions and suggests safer alternatives.
"lodash": "^4.17.15" // 17 known CVEs
Supply Chain Attacks
Checks dependencies against published lists of packages compromised in the 2025–2026 npm supply chain attacks (Shai-Hulud, chalk/debug, Mini Shai-Hulud, Nx). Updated weekly.
[email protected] ⚠ compromised — qix phish, Sept 2025
Live URL Scanning
Security Headers
Flags absent security headers that leave browsers without CSP, HSTS, and frame protection directives.
Content-Security-Policy: absent // ⚠ no CSP
Information Disclosure
Detects version strings in HTTP headers that help attackers fingerprint your stack.
X-Powered-By: Express 4.18.2 // ⚠ leaked
SSL / TLS
Verifies HTTPS is active and the TLS certificate is valid and not nearing expiry.
cert expires in 3 days // ⚠ renew immediately
Exposed Sensitive Files
Probes 15 common paths for .env, .git, and database files accessible to the public.
/.env → HTTP 200 // ⚠ publicly readable
Secrets in Source
Runs 25 secret patterns against your live page HTML and every linked JavaScript bundle.
apiKey: "sk-proj-..." // ⚠ in bundle.js
Supabase RLS
Finds Supabase credentials in source and tests whether unauthenticated queries return real data.
unauthenticated SELECT returned 42 rows ⚠
CORS Live Test
Sends a hostile Origin to discovered API paths and flags wildcard or reflected CORS responses.
Access-Control-Allow-Origin: * // ⚠
Exposed Admin Paths
Checks common admin, debug, and API-docs endpoints for unauthenticated HTTP 200 responses.
/admin → HTTP 200 // ⚠...