built a security scanner for ai generated code

built a security scanner for ai generated code

been using cursor and bolt for months. the code ships fast but the security is a disaster hardcoded api keys, prompt injection, broken access control ai tools dont care about this stuff so i built syntrixlab it scans ai generated apps for

prompt injection

leaked secrets

owasp llm top 10

broken access control

9 scanner engines, 113 checks, 0 false positives waitlist just opened - www.syntrixlab.in would love brutal feedback from anyone who builds with ai tools. what security issues have you hit?

u/Dizzy_Date1873 — 3 days ago

AnyBody Wants to try vulnerability Finder Saas and this not a regular this SOC level Scanner

In this era of AI we can ship faster then anything we can ship a full product in just 24 hours but we forgetting about security this 2026 till now there nearly half of all AI-generated code contains vulnerabilities, with recent data breaches exposing sensitive records due to exposed API keys and missing authentication

ibm.com
u/Dizzy_Date1873 — 12 days ago
▲ 3 r/AIAppInnovation+2 crossposts

Looking for vibe coders

I have recently been working on a vibe coding vulnerability scanner, and for the starting, I am looking for beta user, my scanner is specially designed for finding security vulnerabilities, especially for only vibe coding vulnerability and here you can test your ai agent and git repo , web application, and mobile APK file and Supabase RLS SECURITY

Is there anyone who wants to join the beta program? We are offering 3 MONTHS OF SUBSCRIPTION

u/Dizzy_Date1873 — 13 days ago
▲ 1 r/vibecodingcommunity+1 crossposts

my post got deleted at 86K views. here's what was happening behind the scenes while it was live

so reddit took down my post this morning

86K views. gone.

i'm not even mad honestly because what happened in the dms while it was live was more interesting than the post itself let me tell you what actually went down

first the guy with 96 vulnerabilities

someone dropped their live website in the comments

i scanned it

96 findings

i dmed them last night

"there are so many vulnerable things in your code. total 96 findings. your API keys are exposed and so many other common vulnerabilities"

they replied asking what some of them were

and i just sat there thinking — this is a real product. real users. and the person who built it had no idea.

then there was this guy

someone named u/Khamubro dropped like 12 github repos in my dms

open source projects. all built with AI. genuinely interesting stuff.

i asked him — did you write all this yourself or with AI

he said

"i can't code a line myself. i have dyscalculia so symbolic notation and syntax are difficult for me. it's all written by AI. i just engineer the constraints and specs and then iterate"

i actually respected that a lot

then i looked at his first repo

found his commit ID exposed and referenced 5 times across the codebase

he replied "oh no >_<"

and there was someone who wanted a security report

another person dmed asking about their web app

i told them i found basic vulnerabilities and would send a developer report

they were genuinely curious. asked me to just tell them what i found.

this happened over and over again in 20+ conversations yesterday

real builders. real products. real vulnerabilities.

none of them knew.

here's what i learned from 86K views and 20+ dms in one day

everyone is shipping

nobody is checking

the AI writes the code confidently

the builder ships it proudly

and somewhere out there someone with bad intentions is having a very easy day

the post got deleted but the problem didn't

drop your repo or site below and i'll take a look 👇

and yes i'm still sending that report to u/Personal_You3422 and looking at those repos u/Khamubro — give me a day

build fast. just don't ship naked 🔴

u/Dizzy_Date1873 — 19 days ago

i spent yesterday hacking your websites lol. here's what i found

so yesterday i made a post asking you guys to drop your vibe coded projects so i could have a look

didn't think that many people would actually send them ngl 😭

anyway i went through all of them and bro i kept seeing the same stuff on almost every single site so i had to make this post

rate limiting bro PLEASE

this was on literally every website i checked

like ALL of them. only one site had it. one.

if you have a contact form or a signup page with no rate limiting anyone can just spam it endlessly

they will burn through your email credits drain your AI tokens run up your bills and you won't even know until you wake up and check your dashboard 💀

some of you are thinking ok i'll just limit by email

nah that doesn't work

there are tools that can change the email on every single request automatically. i bypassed that in like 2 minutes

rate limit by IP. not email. IP.

no email verification after signup???

if you don't verify emails after signup anyone can create an account with anyone else's email

just add it. takes like 20 minutes to implement.

your API keys are just sitting there

open inspect element. go to sources. search for key or secret or supabase or openai

if you can see your keys there so can everyone else

and they can use them however they want. and YOU get the bill 💀

i'm only just getting into cybersecurity. i'm not some elite hacker

i did this just to practice and have fun and honestly loved it

but if i'm finding all this as a beginner in 10 minutes just think about what someone actually malicious could do

thanks to everyone who let me poke around your projects fr 🙏

build fast. just don't ship naked

reddit.com
u/Dizzy_Date1873 — 20 days ago
▲ 1 r/AppBusiness+1 crossposts

I let Claude vibe code my entire SaaS backend. Then I read what it actually wrote.

Been building with Cursor for the last 3 months.

Shipped fast. Everything worked. Felt great.

Then I got bored one night and actually read

through the code it generated.

Some things I found:

My entire database was queryable by anyone with

my Supabase anon key. RLS was disabled on 6 tables.

I disabled it myself during prototyping because

Cursor told me to "to fix the permissions error."

Never turned it back on.

req.body was being passed directly into

db.user.update() on my profile endpoint.

Meaning anyone could send { "isAdmin": true }

and it would just... work.

3 API routes had zero auth middleware.

The dashboard redirected you to /login if you

weren't logged in. The actual API behind it

did not care at all.

My OpenAI key was in a file that had been

committed to git 47 days ago. I had since

moved it to .env. The commit history

still had it.

None of this was Cursor's fault honestly.

It wrote exactly what I asked for.

I asked for a working profile update endpoint.

It gave me one. I never said "make it secure."

The problem is we're shipping production apps

the same way we build demos. Fast, iterative,

"fix the error" driven. Security doesn't

show up as an error until someone exploits it.

Checked my Supabase logs out of curiosity.

Two IPs I didn't recognize had queried my

users table directly via the REST API.

Nothing was taken as far as I can tell.

But they were in there.

Anyway. Go read your AI-generated code tonight.

Specifically look for:

- Any .from('table').select('*') without

a .eq('user_id', x) filter

- Any route.ts files that don't start with

const { userId } = await auth()

- Any db.update() that receives req.body directly

- Your git log for anything that looks like a key

Not trying to scare anyone. Just sharing what

I found when I actually looked.

We move fast. Worth checking what we left unlocked.

reddit.com
u/Dizzy_Date1873 — 21 days ago