What does VibeDoctor scan?

VibeDoctor runs 129+ automated checks covering security vulnerabilities, leaked secrets, dependency CVEs, performance, SEO, SSL certificates, code quality, accessibility, broken links, deep code analysis, and AI-specific patterns like hallucinated imports.

Yes. VibeDoctor offers a free tier with 1 scan per day and a full diagnostic report. No credit card required. Paid plans add continuous monitoring, push scans, PR reviews, and higher limits.

What are hallucinated imports?

AI coding tools sometimes import npm packages that do not exist. If an attacker registers that name on npm, your app installs malicious code. VibeDoctor is one of the only platforms that detects hallucinated imports.

Scan & monitor your vibe-coded apps

It works.
You just don't
know why.

VibeDoctor watches what your AI builds - scanning code, dependencies, performance, and security across 129+ checks - then hands you a prescription for what to fix first.

See a sample report

No credit card· 30-second scan· Public or private repos

app.vibedoctor.io/report/acme-checkout

64 /100

mixed signals

2 critical 5 high 12 medium 3 low

Security Issues 2 critical

Performance LCP 4.2s

Vibe Coding Health 6 flags

SEO & Metadata 3 missing

Accessibility pass

♥ vibes: questionable

Works with your tech stack & AI tools

Cursor

Windsurf

VS Code

Copilot

Bolt

Lovable

Replit

Claude

Codex

Next.js

React

Node.js

Python

Vercel

Supabase

Firebase

Netlify

Tailwind

...because the vibes alone aren't telling you what's wrong.

2.74x more vulnerabilities in AI code 10,000+ findings per month 62% of AI apps have known CVEs 97% of devs use AI tools 45% fail secure coding benchmarks

THE STORY

You shipped.
Now what?

You spent six months building, two weeks shipping, and the analytics are flat. Is it the code? The copy? The Lighthouse score? An API key you forgot to rotate?

You don't need another dashboard. You need a prescription - a short, specific list of what to fix first, ordered by how much it actually hurts.

HOW IT WORKS

Five steps. Real results.

Point us at the repo.

GitHub URL, GitLab, or a public deployment. We clone, walk the AST, and ping the live site. Read-only - never a write token.

Connect a repo step 1 of 3

github.com/acme/checkout-service

public main 42 commits, 14 PRs

Run the battery.

129+ automated checks run in parallel across security, performance, SEO, code quality, accessibility, dependency drift, and the AI-code-health patterns no other tool catches.

Check status 8 / 12 passed

Security audit✓ pass

Performance budget✗ 4 issues

Vibe coding health! 2 flags

SEO & metadata✗ 3 issues

Accessibility✓ pass

Read the prescription.

A one-page report. Findings grouped by area, sorted by severity, each with a file path, a line number, and a fix - not a vague "consider refactoring."

Prescription summary

Critical2

High5

Medium12

Low8

Fix what hurts.

Copy the fix prompt, paste it into Cursor, Copilot, or Claude Code. Or click Diagnose for an AI deep-dive that reads your actual function context.

src/routes/orders.ts:42

- db.query(`SELECT * FROM orders WHERE id = ${id}`)
+ db.query('SELECT * FROM orders WHERE id = $1', [id])

Watch the vitals climb.

Every push triggers a rescan. Track your Vitals score over time. Catch regressions before users do. Weekly digests keep you honest.

Vitals trend last 4 scans

64/100718291/100

THE WORKFLOW

Scan. Diagnose. Fix. Repeat.

From repo to results in 30 seconds. VibeDoctor scans your code, diagnoses issues, shows you what to fix - and gives you a visual map of everything your AI built.

→ → →

app.vibedoctor.io/report/acme-checkout

Full Scan - Main

acme/checkout

◉ github.com/acme/checkout

2 critical 5 high 12 medium 3 low

64 /100

Mixed Signals

▲ 13 from last scan

Security Issues 2 critical

Performance LCP 4.2s

Vibe Coding Health 6 flags

SEO & Metadata 3 missing

Accessibility pass

app.vibedoctor.io/report/acme-checkout#analyze

Analyze

Code analysis and architecture insights

Overall

+13

Code

Website

11 Critical 3,061 High 806 Medium 195 Low

Impact Hotspots

Functions with the highest risk - ranked by severity and dependents

1 HIGH Socket() 2 high, 1 medium

2 HIGH GitleaksResult() 2 high issues

3 HIGH Stripe() 2 high issues

4 MED processWebhook() 1 med, 3 low

app.vibedoctor.io/report/acme-checkout#security

Security Issues

11 findings

Leaked secrets, vulnerabilities, and exposed credentials found in your code

CRITICAL

JSON Web Token exposed - unauthorized access to web applications and sensitive user data

.claude/settings.json:41

CRITICAL

GitHub Personal Access Token leaked - unauthorized repository access and code theft

src/config/auth.ts:53

CRITICAL

Stripe Secret Key hardcoded - payment data exposure and financial fraud risk

src/api/payments.ts:18

CRITICAL

AWS credentials hardcoded - unauthorized cloud resource access and data breaches

deploy/config.yml:42

CRITICAL

Database connection string with credentials committed to source control

src/db/connection.ts:7

app.vibedoctor.io/graph/acme-checkout

Vibe X-Ray

558 features

Graph Ready Graph Dead Code Test Coverage

Unhealthy Fair Healthy Entry Point 77 connections

WHAT WE SCAN

129+ checks. Six categories.

AST-level code scans

Static analysis via ESLint, Gitleaks, and custom rules. Catches empty catches, console.log noise, hardcoded credentials, and TODO graveyard.

Performance triage

Lighthouse scores, Core Web Vitals, page weight budget, N+1 queries, sync I/O in async paths, and unbounded loops - ranked by user impact.

SEO & metadata

Missing og:image, broken canonical tags, duplicate titles, thin meta descriptions, and structured data validation. Google sees what you missed.

Vibe coding health

Hallucinated imports, god files, empty test bodies, missing error boundaries, and the patterns Cursor and Copilot leave behind. No other tool checks these.

Security pulse

CVE scanning via Trivy, secret detection via Gitleaks, SQL injection, XSS vectors, CORS misconfiguration, exposed API keys, and SSL health.

Vibe X-Ray

Four-level visual explorer: modules, files, symbols, and dependencies. See what your AI actually built - which functions call what, where complexity hides, and what breaks if you touch it.

TRAJECTORY

From 64 to 91.
In four scans.

Every scan builds on the last. Fix the critical items, rescan, watch the number climb. Most teams hit 85+ within two weeks.

Vitals score 4 scans

THE LOOP

Scan once. Monitor forever.

Manual scans catch today's problems. Automated scans catch tomorrow's.

On Commit

Every push triggers a code scan. Critical findings fire an alert before they hit production. Connect your GitHub App once - done.

Requires Watch plan or above

On Deploy

PR scans compare your branch against main. AI-powered review comments flag regressions before you merge. No surprises in production.

Requires Guard plan or above

On Cadence

Scheduled rescans run weekly or 3x/week. Track your Vitals score over time. Weekly digest emails keep you honest - no dashboard required.

Watch: weekly / Guard+: 3x per week

POSITIONING

Not another Snyk.

What we're not

An enterprise SAST tool with 200-page reports
A CI gate that blocks every commit
A code formatter or linter replacement
A monitoring tool that wakes you at 3 AM
Another dashboard you'll never open

What we are

A 30-second checkup for vibe-coded apps
A prescription - not a wall of warnings
AI-native checks no other tool runs
Fix prompts you can paste into Cursor or Claude
A score that climbs when you act on it

BY THE NUMBERS

Built for the way you ship.

129+

checks per scan

30s

average scan time

diagnostic areas

to start - forever

FAQ

Questions.

Who is VibeDoctor actually for?

Solo devs, indie hackers, and small teams who ship with AI tools like Cursor, Copilot, Bolt, or Claude Code. If you're building fast and want to know what you're missing - security holes, performance issues, broken SEO - VibeDoctor is your second opinion.

What languages and frameworks do you scan?

JavaScript, TypeScript, Python, Go, Rust, Java, Kotlin, C#, Ruby, PHP, Swift, and more. Framework-aware checks for React, Next.js, Express, Fastify, NestJS, Vue, Svelte, and Django. Dependency scanning covers npm, pip, Go modules, and Gemfiles.

Is this safe to point at a private repo?

Yes. We clone read-only via the GitHub App (no write token, ever). Code is scanned in an isolated container, never stored on disk after the scan completes, and never used for training. You can revoke access at any time from your GitHub settings.

How is this different from SonarQube, Snyk, or CodeRabbit?

Those tools are built for enterprise CI pipelines. VibeDoctor is built for vibe coders who want a fast checkup - not a 200-page compliance report. We run AI-specific checks (hallucinated imports, god files, empty test bodies) that no enterprise tool catches, and we give you fix prompts you can paste straight into Cursor. See the full checking guide.

What's "Vibe Coding Health"?

A category of checks unique to VibeDoctor. We look for patterns that AI code generators commonly leave behind: hallucinated npm packages that don't exist, 500-line god files, empty test bodies, missing error boundaries, and mixed async patterns. These aren't bugs per se - they're the kind of tech debt that compounds fast.

Does it touch my code?

Never. VibeDoctor is read-only. We clone, scan, and report. We never open PRs, commit changes, or modify anything in your repo. The fix prompts are copy-paste suggestions - you decide what to apply.

How often should I rescan?

After every meaningful push. On paid plans, push scans run automatically on every commit. On the free plan, you can manually scan up to 3 times per day. Most teams see their Vitals score plateau around 85-90 within a couple of weeks of regular scanning.

Do you support monorepos?

Yes. The scanner walks the full directory tree (up to 5 levels deep, 200 files) and detects multiple package.json files, lockfiles, and framework configs. Findings are grouped by file path so you can see which part of the monorepo needs attention.

What is Vibe X-Ray?

Vibe X-Ray is a four-level visual explorer for your codebase. It shows modules, files, symbols (functions, classes, interfaces), and their dependencies. You can see what your AI actually built - which functions call what, where complexity hides, what breaks if you touch something. It updates with every scan.

Patient Reviews

WHAT FOUNDERS
ARE SAYING

Real teams. Real codebases. Real problems found.

★★★★★

"Vibedoctor removed a lot of uncertainty around my app's security. The seamless pipeline integration, fix suggestions and detailed reports made it incredibly easy to identify and fix vulnerabilities and saved me lot of time and effort. Highly recommended."

UUmakanth

★★★★★

"Honestly, I thought my app was fine until I ran it through VibeDoctor. It pointed out exposed keys and some weird structure issues. Saved me from pushing some pretty bad code to prod."

CCharles (Chris)

★★★★★

"Always assumed my code was fine because nothing had broken yet. VibeDoctor showed me that 'nothing broke' and 'nothing is wrong' are two different things."

AAjay A

★★★★★

"AI-generated code looks good on the surface, but there's always something off. VibeDoctor made those issues obvious - especially the huge files and sloppy patterns."

JJames L.

★★★★★

"I used this tool against a php project that I vibecoded. With AI and vibecoding most of us dont know what kind of security vulnerabilities we are introducing in our system. This tool comes quite in handy in such cases. Highly recommend giving it a try."

SSandeep Nair

★★★★★

"I started using Cursor to speed things up, but the code got messy fast. VibeDoctor helped me catch things I wasn't even thinking about - random console logs, unused imports. Cleaned up my project a lot."

SStefan

★★★★★

"I am building a React web app using AI Studio, and VibeDoctor has been excellent in finding security gaps, exposed API keys and more - god files, unused variables, console debug leftovers, accessibility standards. Really comprehensive."

AAndrea Parini

★★★★★

UUmakanth

★★★★★

"Honestly, I thought my app was fine until I ran it through VibeDoctor. It pointed out exposed keys and some weird structure issues. Saved me from pushing some pretty bad code to prod."

CCharles (Chris)

★★★★★

"Always assumed my code was fine because nothing had broken yet. VibeDoctor showed me that 'nothing broke' and 'nothing is wrong' are two different things."

AAjay A

★★★★★

"AI-generated code looks good on the surface, but there's always something off. VibeDoctor made those issues obvious - especially the huge files and sloppy patterns."

JJames L.

★★★★★

SSandeep Nair

★★★★★

SStefan

★★★★★

AAndrea Parini

Run your first scan.

Paste a GitHub repo or any live website URL. We scan your code, dependencies, performance, and security. Results in 30 seconds.

No credit card · Read-only access · Results in 30 seconds

It works. You just don't know why.

You shipped.Now what?

Five steps. Real results.

Scan. Diagnose. Fix. Repeat.

129+ checks. Six categories.

AST-level code scans

Performance triage

SEO & metadata

Vibe coding health

Security pulse

Vibe X-Ray

From 64 to 91.In four scans.

Scan once. Monitor forever.

Not another Snyk.

Built for the way you ship.

Questions.

WHAT FOUNDERSARE SAYING

Run your first scan.

It works.
You just don't
know why.

You shipped.
Now what?

From 64 to 91.
In four scans.

WHAT FOUNDERS
ARE SAYING