Quick Answer
A Vibe Check is VibeDoctor's comprehensive automated diagnosis for AI-generated code. It runs 129+ checks across 15 diagnostic areas - covering security vulnerabilities, leaked secrets, dependency CVEs, code quality, AI-specific patterns, performance, SEO, SSL, and more. You get a Vitals Score from 0 to 100, every finding with its file path, line number, severity, and a copy-paste fix prompt for your AI coding tool. Results come back in under 5 minutes. Free tier included - no credit card required.
What Is a Vibe Check?
A Vibe Check is a full diagnostic for your codebase and live website. It examines your project from every angle that matters for production readiness: is the code secure, are the dependencies safe, does the live site perform well, are security headers in place, does the SSL certificate expire soon, are there runtime JavaScript errors, and does the code follow patterns that will not break under real-world conditions.
The diagnosis runs automatically. You connect a GitHub repo, a live URL, or both - and VibeDoctor handles the rest. No configuration files to write. No rulesets to customize. No CI pipeline to set up. Submit and wait for results.
When the check completes, you get a structured report organized by diagnostic area, with every finding showing exactly where the problem is and how to fix it. The entire process takes under 5 minutes for most projects.
The 15 Diagnostic Areas
A Vibe Check covers 15 distinct diagnostic areas. If you submit both a GitHub repo and a live URL, all 15 run. If you submit only a repo, the code-side diagnostics run. If you submit only a URL, the live-site diagnostics run.
Code Diagnostics (GitHub Repo)
These run against your source code and dependencies.
| # | Diagnostic Area | What It Checks | Example Findings |
|---|---|---|---|
| 1 | Security Vulnerabilities | Unprotected routes, injection, XSS, CORS, CSRF, eval(), insecure cookies, missing rate limiting | API route without auth middleware, SQL query using string interpolation, dangerouslySetInnerHTML with user input |
| 2 | Secret Detection | API keys, passwords, tokens, private keys, JWT secrets committed in source files or git history | Stripe secret key in source file, AWS access key in config, RSA private key committed to repo |
| 3 | Dependency Vulnerabilities | Known CVEs in your npm, pip, Go, Ruby, or other package dependencies | Critical CVE in express 4.17.1, high-severity vulnerability in lodash, no fix available for prototype pollution |
| 4 | Code Quality | Console statements, explicit any types, TODO/FIXME comments, empty catch blocks, hardcoded credentials in variable assignments | 12 console.log calls in production code, 8 TypeScript any annotations, empty catch block swallowing errors |
| 5 | Vibe Coding Health | AI-specific patterns - hallucinated imports, empty test bodies, god files, mixed async patterns, missing error handling | Import of npm package that does not exist, test with no assertions, 600-line utility file doing 5 unrelated things |
| 6 | Deep Code Analysis | Bugs, code smells, duplication, cognitive complexity, technical debt ratio, quality gate pass/fail | Duplicated 40-line block across 3 files, cognitive complexity of 47 in single function, 12 code smells in auth module |
| 7 | Best Practices | Project hygiene - .gitignore quality, README presence, test directory, .env file committed, directory structure | .env file committed to repo, .gitignore missing node_modules entry, no test directory found |
Live Site Diagnostics (URL)
These run against your deployed website using a real browser session.
| # | Diagnostic Area | What It Checks | Example Findings |
|---|---|---|---|
| 8 | Performance | Lighthouse performance score, Core Web Vitals (LCP, FCP, CLS, TBT), Speed Index, Time to Interactive | LCP of 4.2s (should be under 2.5s), CLS of 0.31 (should be under 0.1), performance score 34/100 |
| 9 | SEO | Meta title, description, Open Graph tags, canonical URL, robots meta, viewport tag, structured data | Missing meta description, no Open Graph image, canonical URL not set, missing viewport tag |
| 10 | Security Headers | HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy | No HSTS header, missing Content-Security-Policy, X-Frame-Options not set |
| 11 | SSL / TLS | Certificate validity, issuer, days until expiry, protocol version, configuration warnings | Certificate expires in 12 days, using TLS 1.0 (deprecated), self-signed certificate |
| 12 | Console Errors | JavaScript runtime errors, unhandled exceptions, and warnings in the browser console | TypeError: Cannot read property of undefined, failed fetch to API endpoint, unhandled promise rejection |
| 13 | Broken Links | Internal 404s, dead external links, redirect chains, broken anchor references | 7 internal links returning 404, 3 external links to domains that no longer exist |
| 14 | Page Weight | Total page size, number of HTTP requests, resource breakdown by type, mixed HTTP/HTTPS content | Page size 5.2MB (budget: 2MB), 47 HTTP requests, mixed content loading images over HTTP |
| 15 | Accessibility | Images without alt text, buttons without labels, missing ARIA attributes, Lighthouse accessibility score | 14 images missing alt text, 3 buttons with no accessible name, accessibility score 61/100 |
The Vitals Score: One Number for Overall Health
After running all applicable diagnostics, VibeDoctor calculates a Vitals Score from 0 to 100. This single number summarizes the overall health of your project across every diagnostic area.
The score gives you an immediate answer to the question every builder asks: is this safe to ship?
| Score Range | What It Means |
|---|---|
| 80 - 100 | Production ready - no critical issues, strong security posture, good performance |
| 60 - 79 | Needs attention - some high-severity findings or performance gaps to address |
| 40 - 59 | Significant issues - multiple high or critical findings that should be fixed before launch |
| 0 - 39 | Not production ready - critical vulnerabilities present, do not ship without remediation |
The score is not a vanity metric. It is calculated from structured tool data - real vulnerability counts, real CVE severity levels, real Lighthouse measurements. Every point on the scale corresponds to real findings you can inspect and fix.
Severity Levels
Every finding from a Vibe Check is assigned a severity level:
- Critical - must fix before shipping. Leaked secrets, SQL injection, hardcoded private keys, known critical CVEs.
- High - should fix before shipping. Unprotected API routes, missing auth middleware, CORS wildcards, excessive dependency count.
- Medium - fix soon after launch. Mixed async patterns, god files, missing security headers, low test coverage.
- Low - nice to fix. Commented-out code, unused imports, missing README, hardcoded localhost URLs.
The severity classification is deterministic. It does not depend on AI interpretation or LLM confidence scores. Each check has a predefined severity based on real-world impact.
What You Get in the Report
Every finding in a Vibe Check report includes:
- Title - what the issue is (e.g., "Unprotected API route")
- Severity - Critical, High, Medium, or Low
- File path - exact file where the issue was found
- Line number - exact line in the file
- Description - what the issue means in plain language
- Fix guidance - what you need to change
- Copy fix prompt - a one-click button that copies a remediation prompt you can paste directly into Cursor, Claude Code, or any AI coding tool
The copy fix prompt feature is designed for vibe coders. You do not need to understand the vulnerability yourself. Copy the prompt, paste it into your AI tool, and the AI will fix the specific issue with full context about what was wrong and why.
How It Works
Running a Vibe Check takes three steps:
- Submit your project - enter a live URL, connect a GitHub repo, or both
- Wait for results - the diagnosis runs automatically and completes in 2-5 minutes for most projects
- Review your report - findings are organized by diagnostic area with severity, file paths, and fix guidance
No installation. No configuration files. No CLI to set up. Everything runs on VibeDoctor's infrastructure. You get the results in your dashboard at app.vibedoctor.io.
Continuous Monitoring: Stay Healthy After Launch
A single health check tells you where you stand today. Continuous monitoring keeps you healthy over time.
On paid plans, VibeDoctor automatically re-runs the health check on every git push to your connected repository. Every commit gets scanned. Every push generates an updated report. You never have to remember to run a check manually.
| Plan | Manual Scans / Day | Auto-Scan on Push | Scheduled Rescans | Weekly Digest Email |
|---|---|---|---|---|
| Free | 3 | No | No | No |
| Watch ($15/mo) | 10 | Yes | Weekly | Yes |
| Guard ($39/mo) | 50 | Yes | 3x per week | Yes |
| Shield ($79/mo) | 200 | Yes | 3x per week | Yes |
Push scan alerts notify you immediately when a critical or high-severity finding appears in new code. You find out about the problem within minutes of pushing - not days later when a user reports a bug or an attacker finds a vulnerability.
AI-Specific Checks: What Makes This Different
Traditional code analysis tools were built for professional engineering teams writing code by hand. They catch the problems that human developers make. VibeDoctor's Vibe Check includes an entire category of checks specifically designed for problems that AI coding tools create.
These AI-specific checks cover patterns that tools built before the vibe coding era were never designed to detect:
- Hallucinated imports - packages the AI referenced that do not actually exist on npm
- Empty test bodies - test functions with a title but no assertions inside
- Incomplete implementations - functions that throw "Not implemented" errors or have empty bodies
- God files - single files with 500+ lines doing too many unrelated things
- Mixed async patterns - files mixing .then() chains and async/await inconsistently
- Missing error boundaries - React apps with no ErrorBoundary component to catch runtime crashes
- Excessive dependency count - AI tools install packages liberally, often adding 60+ dependencies when 20 would suffice
- Duplicate functionality - AI installing both axios and node-fetch, or both moment and dayjs, for the same purpose
- N+1 database queries - database calls inside loops that should be batched
- Synchronous file I/O in async context - blocking the event loop with readFileSync when the surrounding code is async
These are not theoretical patterns. They appear in the majority of AI-generated codebases that VibeDoctor scans. The AI writes code that works functionally but introduces structural and safety problems that only show up under real-world conditions.
Copy Fix Prompts: From Finding to Fix in Seconds
Every finding in the report includes a "Copy Fix" button. Click it and VibeDoctor copies a detailed remediation prompt to your clipboard. The prompt includes:
- The exact file and line number
- What the issue is
- Why it matters
- What the fix should look like
Paste this prompt directly into Cursor, Claude Code, Copilot, or any AI coding tool. The AI gets full context and can fix the issue immediately. This creates a feedback loop: the AI built the problem, VibeDoctor diagnosed it, and the AI fixes it with the right guidance.
FAQ
How long does a Vibe Check take?
Most scans complete in 2-5 minutes. The exact time depends on repository size and whether you are scanning a live URL in addition to the codebase. URL-only scans typically finish in under 2 minutes. Large repositories with 1,000+ files may take closer to the 5-minute mark.
Is there a free version?
Yes. The free plan includes 1 scan per day with the full 129+ check diagnostic - no checks are removed or limited. You get the same report that paid users get. The difference is scan frequency: paid plans add automatic push scans, scheduled rescans, and weekly digest emails.
Can I scan a project without a GitHub repo?
Yes. You can submit a live URL only and get the 8 live-site diagnostics (performance, SEO, security headers, SSL, console errors, broken links, page weight, accessibility). To get the code-side diagnostics (security vulnerabilities, secrets, dependencies, code quality, vibe coding health, deep analysis, best practices), connect a GitHub repository.
What languages does the code analysis support?
The security, quality, and vibe coding checks support JavaScript, TypeScript, Python, Go, Rust, Java, Kotlin, C#, Ruby, PHP, Swift, Vue, and Svelte. Dependency vulnerability scanning works with any package manager that produces a lockfile (npm, pip, Go modules, Bundler, Composer, and more).
Do I need to install anything?
No. Everything runs on VibeDoctor's infrastructure. You do not need to install CLI tools, configure rulesets, or set up a CI pipeline. Create a project, submit your URL or connect your repo, and the health check runs automatically.