v1.4.0 · AI Fix Prompts shipping

Audit anything.
Fix everything.

Security scanning for AI-generated code, freelance projects, and indie products. Nine domains. Twenty-five secret patterns. Every finding ships with a copy-paste fix prompt for your AI tool.

Try: lovable/example-app vercel/next.js getvouch-ai/vouch-cli
GetVouch Scanner — running
/100

9 security domains  ·  25 secret patterns  ·  0 accounts  ·  0 bytes leave your machine

GetVouch Security Report
$ scan https://github.com/lovable/example-app
Scanned in 2.3s · 47 files analyzed
72 VIBE SCORE
HIGH OpenAI API key exposed Fix →
HIGH Missing CORS validation Fix →
HIGH IDOR in /api/users Fix →
View full report ↗
AI Fix Prompt

DETECTS PATTERNS FROM 25+ PROVIDERS

OpenAI Stripe AWS Firebase MongoDB Slack GitHub SendGrid Anthropic Twilio Supabase Vercel Cloudflare Discord PayPal OpenAI Stripe AWS Firebase MongoDB Slack GitHub SendGrid Anthropic Twilio Supabase Vercel Cloudflare Discord PayPal

WATCH IT WORK

From repo to security report in 60 seconds.

No upload. No OAuth. No account. Watch a real scan happen.

GetVouch Scanner
 
Security Assessment
72 VIBE SCORE
0
Critical
1
High
2
Medium
0
Low
OpenAI API key in src/config.js:14
Missing CORS validation
IDOR in /api/users/[id]
AI FIX PROMPT
SECURITY FIX NEEDED — OpenAI API key
found at src/config.js line 14

Step 1 — Revoke this key at:
platform.openai.com/api-keys

Step 2 — Add to .env:
OPENAI_API_KEY=your_new_key
Paste into Lovable, Cursor, Bolt, Replit, or Claude Code

NINE SECURITY DOMAINS

We catch what your AI tool ships.

Every scan covers nine categories. Every finding includes a fix prompt for your AI tool.

Exposed Secrets

Detects 25 key types: OpenAI, Stripe, AWS, Firebase, JWT, private keys, and more.

OPENAI_API_KEY = "sk-proj-aB3..." // ⚠ exposed
Client-Side Auth

Catches auth checks that run only in the browser — bypassable in 5 seconds with DevTools.

if (user.isAdmin) { // ⚠ trust the client?
SQL Injection

Finds raw SQL string concatenation with user input — the oldest trick in the book, still common.

"SELECT * FROM users WHERE id=" + req.id
CORS Misconfiguration

Spots wildcard origins and credentials misuse — the silent backdoor of most APIs.

cors({ origin: "*", credentials: true })
Environment Safety

Confirms .env files are properly gitignored and secrets aren’t committed to your repo history.

.env // ⚠ not in .gitignore
Input Validation

Identifies endpoints accepting user input without schema validation — the entry point for most attacks.

app.post("/api", (req) => save(req.body))
IDOR Vulnerabilities

Catches code that fetches resources by user-controlled ID without authorization checks.

User.findById(req.params.id)
Dependency Issues

Flags localhost URLs, hardcoded paths, and config that breaks the moment you ship to production.

fetch("http://localhost:3000/api")
Outdated Packages

Scans package.json for known-vulnerable versions and suggests safer alternatives.

"lodash": "^4.17.15" // 17 known CVEs

DELIVERABLE

The report your clients will respect.

Every scan generates a downloadable PDF that looks like it came from a Big4 consulting firm. Cover page. Executive summary. Risk score. Detailed findings. Remediation guidance. Disclaimer. Use it for client deliverables, compliance reviews, or internal audits.

Customizable header — add your agency logo on the Pro tier
9-domain breakdown with file paths and line numbers
Copy-paste AI fix prompt for every finding
Print-ready, brandable, professional
See a sample report →
v1.4.0 — Web Scanner
Confidential
Security Assessment Report
AI-Generated Code Security Analysis — Full Spectrum Scan
Date
April 28, 2026
Repository
lovable/example-app
Risk Level
HIGH
01 — Executive Summary

Significant security vulnerabilities have been identified. Immediate remediation is strongly recommended prior to any production deployment.

02 — Risk Score
72
/100
Score
0
Critical
1
High
2
Medium
0
Low
03 — Detailed Findings
CRITICALOpenAI API key exposed
HIGHMissing CORS validation

WHO IT’S FOR

One scanner. Two doorways.

Same product. Two stories. Pick the door that fits.

FOR VIBE CODERS

Your AI ships fast. It also ships unlocked doors.

Lovable, Cursor, Bolt, Replit, Claude Code generate code in minutes. They also generate the same security mistakes — exposed API keys, missing auth, .env files in git. GetVouch catches them and hands you a copy-paste fix prompt for your AI tool.

  • Scan any GitHub repo or local folder
  • AI fix prompts for Lovable, Cursor, Bolt
  • Free forever for solo builders
Scan your repo →
FOR FREELANCERS & TEAMS

The security report your clients deserve.

Snyk built for enterprises. Datadog built for CIOs. Nobody built for the freelancer charging $5,000 for an app build, the agency shipping client work weekly, or the bootstrapped startup that can’t justify $99 per developer per month. GetVouch is the security audit you can deliver alongside your work.

  • Big4-quality executive PDF report
  • White-label reports on Pro tier
  • Run on client repos without sharing your account
See a sample report →

WHY GETVOUCH

Built for everyone they forgot.

Snyk and Datadog built for enterprises. Vibe App Scanner and ScanVibe lock features behind accounts. We built the in-between.

Feature GetVouch ★ RECOMMENDED Vibe App Scanner Snyk Prismor
Free unlimited scans Limited Limited Free tier
No account required
Code never leaves your machine
AI fix prompts
Big4-quality PDF report
Built for solo & small teams
Starts at $0 $5/mo Enterprise Custom

PRICING

Free forever. Or pay when it pays you back.

Scan unlimited repos for free. Upgrade only when you need branded reports or team features.

Free
$0
/forever
For solo builders and side projects.
  • Unlimited scans
  • Vibe Score & finding counts
  • AI fix prompts (terminal output)
  • 9 security domains
  • CLI tool included
MOST POPULAR
Pro
$29
/month
For freelancers, agencies, and small teams.
  • Everything in Free, plus:
  • White-label PDF reports (your logo)
  • Full findings with file/line details
  • Email summaries
  • Last 30 reports saved
  • Priority support
Team
$79
/month
For startups shipping client work.
  • Everything in Pro, plus:
  • Unlimited team seats
  • Slack notifications
  • API access for CI/CD
  • Custom rule sets
  • Dedicated Slack channel

FROM THE BUILDER

I’m Sufiyan. I spent 3 years in a Security Operations Center.

PHOTO

I watched enterprise breaches happen from the inside. Most weren’t sophisticated — they were boring. Hardcoded API keys. Misconfigured CORS. Auth checks that only ran in the browser. The same patterns, every time.

Now AI tools generate those same patterns automatically. Lovable ships 200,000 projects a day. Most have at least one of the issues I used to investigate at 3am.

GetVouch is the check I wish every project ran before going live — whether it’s a vibe-coded side project or a freelance delivery to a paying client. It’s free because security shouldn’t be a paywall. Your code never leaves your machine because you shouldn’t have to trust me with it.

If you scan your repo and find something, DM me on X. I’ll personally walk you through the fix.

@its_n0One →

Scan your repo.
Free. No signup.

Or run it locally — your code never leaves your machine.

Or run the CLI:   pip install getvouch-cli