Scans your code for OWASP Top 10 vulnerabilities, injection attacks, misconfigurations, and dangerous patterns that AI-generated code commonly introduces.
- SEC-001Unprotected API routes - detects routes without authentication middlewareHigh
- SEC-002SQL injection risk - string interpolation in database queries (6 patterns)Critical
- SEC-003XSS vectors - dangerouslySetInnerHTML, innerHTML, v-html, {@html}, document.writeCritical
- SEC-004CORS misconfiguration - wildcard origins and permissive Access-Control headersHigh
- SEC-005CSRF / state-changing GET routes - mutations via GET requestsHigh
- SEC-006Client-side secret exposure - sensitive env vars with NEXT_PUBLIC_/VITE_/REACT_APP_ prefixCritical
- SEC-007Insecure cookie settings - missing httpOnly, secure, or sameSite flagsHigh
- SEC-008eval() or new Function() usage - dynamic code execution risksCritical
- SEC-009Insecure randomness - Math.random() in security-sensitive contextsHigh
- SEC-010Missing input validation - route handlers without schema validation (Zod, Joi, etc.)High
- SEC-011Insecure file uploads - missing file type validation or size limitsHigh
- SEC-013No rate limiting - no rate limiting library or middleware detectedHigh
- SEC-013-DDebug mode in production - DEBUG=* enabled in production configurationHigh
- SEC-014Hardcoded secrets - AWS keys, Stripe keys, OpenAI keys, GitHub tokens, Slack tokens, SendGrid keys, and generic secretsCritical
- SEC-015Private keys in source code - RSA, EC, DSA, or OpenSSH private keys committedCritical
- SEC-016JWT tokens in source code - hardcoded JWT tokens that should be runtime-generatedCritical
Deep scan of your entire Git history for leaked credentials, API keys, and tokens using Gitleaks - an industry-standard secret detection tool with 100+ built-in rules.
- GIT-001AWS Access Key IDs (AKIA*) and Secret Access KeysCritical
- GIT-002Google Cloud / GCP API keys and service account credentialsCritical
- GIT-003GitHub personal access tokens and OAuth tokensCritical
- GIT-004Stripe live and test keysCritical
- GIT-005OpenAI / Anthropic / AI provider API keysCritical
- GIT-006Slack, Discord, and Telegram bot tokensCritical
- GIT-007Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)Critical
- GIT-008SendGrid, Mailgun, and email service API keysCritical
- GIT-009Firebase / Supabase credentialsCritical
- GIT-010SSH and PGP private keysCritical
- GIT-011Twilio, Razorpay, and payment provider tokensCritical
- GIT-012Generic passwords and secrets in config filesHigh
- GIT-013Azure / DigitalOcean / Heroku API tokensCritical
- GIT-014JWT signing secrets and encryption keysCritical
- GIT-015Shopify, Cloudflare, and other SaaS credentialsCritical
Validates your live website's HTTP security headers against best practices. Missing headers are the #1 issue we find in vibe-coded apps.
- HDR-001Strict-Transport-Security (HSTS) - forces HTTPS on all connectionsHigh
- HDR-002Content-Security-Policy (CSP) - prevents XSS and injection attacksHigh
- HDR-003X-Content-Type-Options - prevents MIME type sniffingMedium
- HDR-004X-Frame-Options - prevents clickjacking attacksMedium
- HDR-005Referrer-Policy - controls information leaking via referrer headersMedium
- HDR-006Permissions-Policy - restricts browser features (camera, microphone, etc.)Medium
Validates your SSL/TLS certificate status, expiry, and protocol version to ensure encrypted, trusted connections.
- SSL-001HTTPS enforcement - site accessible over HTTPSCritical
- SSL-002Certificate validity - certificate is valid and not expiredCritical
- SSL-003Certificate trust chain - issued by a trusted Certificate AuthorityHigh
- SSL-004Certificate expiry warning - expires within 30 daysMedium
- SSL-005TLS protocol version - using modern TLS 1.2 or 1.3Medium
Scans your dependencies for known CVEs (Common Vulnerabilities and Exposures) via Trivy, plus checks for bloat, duplicate libraries, and supply chain risks.
- DEP-001Excessive dependency count - flags 40+ or 60+ production dependenciesMedium-High
- DEP-004Duplicate functionality libraries - multiple HTTP clients, date libs, validators, etc.Medium
- DEP-006Potentially unused dependencies - production deps not imported anywhereMedium
- DEP-007Full import of heavy libraries - importing all of lodash, moment, rxjsMedium
- DEP-008Loose version pinning - using *, latest, or >= in package.jsonHigh
- DEP-009No lock file - missing package-lock.json, yarn.lock, or pnpm-lock.yamlHigh
- DEP-010Multiple package managers - conflicting lock files from npm + yarn + pnpmMedium
- TRIVYKnown CVE scan - checks all dependencies against the National Vulnerability DatabaseCritical
Runs Google Lighthouse on your live URL to measure real-world performance. Scores every Core Web Vital plus time-to-interactive benchmarks.
- LH-001Performance score (0-100) - overall performance ratingScore
- LH-002First Contentful Paint (FCP) - time until first content appearsMetric
- LH-003Largest Contentful Paint (LCP) - time until largest element rendersMetric
- LH-004Total Blocking Time (TBT) - time the main thread is blockedMetric
- LH-005Cumulative Layout Shift (CLS) - visual stability scoreMetric
- LH-006Speed Index - how quickly content is visually displayedMetric
- LH-007Time to Interactive (TTI) - time until fully interactiveMetric
- LH-008Accessibility score (0-100) - WCAG conformance ratingScore
- LH-009SEO score (0-100) - search engine optimization ratingScore
- LH-010Best Practices score (0-100) - web development best practicesScore
Validates essential meta tags for search engine visibility and social media sharing. If these are missing, your site is invisible to Google.
- SEO-001Page title - <title> tag present and descriptiveHigh
- SEO-002Meta description - informative description for search resultsHigh
- SEO-003Open Graph title (og:title) - title for social media sharesMedium
- SEO-004Open Graph image (og:image) - preview image for social sharingMedium
- SEO-005Favicon - browser tab icon presentLow
- SEO-006Canonical URL - prevents duplicate content indexingMedium
- SEO-007Viewport meta tag - mobile responsiveness declarationHigh
Detects code smells, dead code, overly complex functions, and AI-hallucinated imports that are common in vibe-coded projects.
- QUA-002Unused imports - imported modules never referenced in the fileLow
- QUA-005Mixed async patterns - mixing .then()/.catch() with async/await in same fileMedium
- QUA-006aOverly long functions - functions exceeding 50 linesMedium
- QUA-006bDeeply nested code - 4+ levels of nesting in a functionMedium
- QUA-006cToo many parameters - functions with 5+ parametersMedium
- QUA-008God files - files exceeding 300 lines, doing too muchMedium
- QUA-009Missing error handling - .then() without .catch() / hallucinated package importsMedium-High
- QUA-010Empty function bodies - placeholder functions with no implementationMedium
- QUA-011Commented-out code - 3+ lines of dead code in comments / hallucinated API usageLow-Medium
- QUA-012Incomplete implementations - TODO placeholders and "not implemented" stubsMedium
- QUA-013God modules - files with 20+ exports, sign of a monolithMedium
- QUA-014Route handler bloat - inline handlers exceeding 20 linesMedium
- ESLINTESLint rule violations - runs your project's configured lint rulesMedium
- HALLUAI-hallucinated imports - detects packages and APIs that don't exist (AI invented them)High
Enterprise-grade static analysis via SonarQube. Detects bugs, security hotspots, code smells, and maintainability issues across your entire codebase.
- SQ-BUGBug detection - code that will cause incorrect behavior at runtimeHigh
- SQ-VULNSecurity vulnerabilities - exploitable weakness in the codeCritical
- SQ-SPOTSecurity hotspots - code that requires manual security reviewMedium
- SQ-SMELLCode smells - maintainability issues that make code hard to changeLow
- SQ-DEBTTechnical debt ratio - estimated effort to fix all maintainability issuesScore
- SQ-DUPCode duplication - copy-pasted blocks across the projectMedium
- SQ-COVCognitive complexity - functions too complex for humans to understandMedium
Catches code patterns that work in development but will crash or freeze in production - common in AI-generated code that hasn't been stress-tested.
- PERF-001await inside Array.map() - creates sequential promises instead of parallelHigh
- PERF-002Synchronous file I/O in async context - blocks the event loopHigh
- PERF-003Database queries inside loops - N+1 query problemCritical
- PERF-004Unbounded array growth - while loops with .push() and no size limitMedium
- PERF-005Sequential awaits that could be parallelized - 3+ independent awaits in a rowMedium
- PERF-006JSON parse/stringify inside loops - repeated serialization overheadLow
Checks React, Vue, and Svelte component code for memory leaks, accessibility violations, and bundle size issues.
- FE-001No React Error Boundary - uncaught errors crash the entire appMedium
- FE-004Direct DOM manipulation in React - using document.getElementById instead of refsMedium
- FE-005aImages missing alt text - accessibility violation for screen readersMedium
- FE-005bButtons missing accessible labels - icon-only buttons without aria-labelMedium
- FE-006Memory leak in useEffect - setInterval/addEventListener without cleanupHigh
- FE-007Bundle-heavy imports - full lodash (72KB) or moment (300KB) in client bundleMedium
- FE-008Missing key prop in list rendering - .map() without key causes reconciliation bugsMedium
- FE-010External links without rel="noopener" - target="_blank" security riskMedium
Validates project configuration, Dockerfile hygiene, TypeScript strictness, and production readiness signals.
- CFG-002Hardcoded localhost URLs - http://localhost in production code (not env fallback)Medium
- CFG-004Unpinned Docker images - using :latest tag instead of specific versionsMedium
- CFG-005Missing health check endpoint - no /health or /healthz for container orchestrationMedium
- CFG-006No structured logging - 5+ console.log calls instead of a proper loggerMedium
- CFG-007Missing .env.example - new developers don't know what env vars are neededMedium
- CFG-008TypeScript strict mode disabled - allows implicit any and null safety issuesMedium
Evaluates test quality, coverage ratio, and common antipatterns. Most vibe-coded apps have zero tests - we check if yours are real or just placeholders.
- TST-001Low test coverage ratio - test files vs source files below thresholdHigh
- TST-002Empty test bodies - test("should work", () => {}) provides false confidenceHigh
- TST-003Tests without assertions - test runs code but never checks resultsHigh
- TST-004Mock-everything antipattern - mocking all imports, testing nothing realMedium
- TST-005Happy-path-only tests - no error/edge case coverageMedium
- TST-008No integration tests - only unit tests, missing integration/e2e coverageLow
Basic project health checks - the fundamentals that vibe-coded projects often skip.
- PRJ-001.env file committed - secrets may be exposed in the repositoryCritical
- PRJ-002.gitignore quality - missing entries for node_modules, .env, dist, buildMedium
- PRJ-003Test files present - project contains test directories or test filesHigh
- PRJ-004README exists - basic documentation for the projectMedium
- PRJ-005Directory structure - organized into subdirectories vs flat structureLow
Loads your live website in a real browser to catch runtime errors, broken links, page bloat, and mixed content warnings.
- WEB-001Console errors - JavaScript exceptions and console.error messages on page loadHigh
- WEB-002Broken links - dead links that return 404 or fail to resolveMedium
- WEB-003Page weight - total download size of all resourcesMedium
- WEB-004Request count by type - number of scripts, images, fonts, etc.Low
- WEB-005Mixed content - HTTP resources loaded on HTTPS pageHigh
TOTAL: 129+ CHECKS
16 security + 15 secret detection + 6 headers + 5 SSL + 8 dependency + 10 performance + 7 SEO + 14 quality + 7 deep analysis + 6 performance patterns + 8 frontend + 6 config + 6 testing + 5 hygiene + 5 live website + ESLint rules + SonarQube rules = 129+ unique checks across every scan.
External tools (SonarQube, ESLint, Gitleaks, Trivy) each run hundreds of additional sub-rules on top of the checks listed above.
← Back to VibeDoctor