Your AI wrote the code.
Who checked the security?
vchk finds the vulnerability patterns that AI coding tools systematically introduce — SQL injection, hardcoded secrets, XSS, hallucinated packages, and more.
of AI code has security flaws
Veracode
more SQL injection with AI
Perry et al.
breaches from AI code
Aikido 2026
1import sqlite32import random3 4API_KEY = "sk-proj-abc123def456ghi789"5 6def get_user(username):7 query = f"SELECT * FROM users WHERE username = '{username}'"8 cursor.execute(query)9 return cursor.fetchone()10 11def generate_token():12 return str(random.randint(100000, 999999))Hardcoded API Key
API key embedded in source code
SQL Injection via String Interpolation
f-string in SQL query with user input
Weak Random Number Generator
random.randint() used for token generation
AI writes fast. It doesn't write safe.
It copies insecure patterns
AI models trained on millions of repos — including millions of insecure ones. When you ask for a database query, you get string concatenation because that’s what appeared most in training data. The code works. The vulnerability is invisible.
It makes you overconfident
Stanford research found that developers using AI assistants believe their code is MORE secure while actually producing LESS secure code. The code looks clean, passes basic tests, and gets merged without scrutiny.
Existing tools weren’t built for this
ESLint, Semgrep, Snyk — built for human-written code. They miss the specific patterns AI produces: hallucinated packages that don’t exist, “almost right” auth flows, tests that only test the happy path, deprecated APIs from 3 years ago.
8 rules. Zero false positives on real-world scans.
SQL Injection
String concatenation in database queries instead of parameterized queries
query = f"SELECT *FROM users WHEREname = '{name}'"
Hardcoded Credentials
API keys, passwords, and secrets embedded directly in source code
API_KEY ="sk-proj-a8f3..."
Missing Authentication
API endpoints handling sensitive data with no auth middleware
app.delete('/api/users/:id',handler)
Hallucinated Packages
Dependencies that don’t exist in npm/PyPI — AI invented the name
"flask-security-utils": "^2.1.0"
Cross-Site Scripting
dangerouslySetInnerHTML, innerHTML with unsanitized user content
res.send(`<h1>${req.query.q}</h1>`)
Weak Randomness
Math.random() and random.randint() used for security tokens
token = str(random.randint(100000, 999999))
Permissive CORS
origin: '*' allowing any website to call your API
app.use(cors())
Log Injection
User input written directly to logs without sanitization
logger.info(f"User: {user}")
Tested against 12 real vibe-coded projects
repos scanned
vulnerabilities found
false positive rate
scan time
Permissive CORS with credentials
allow_origins=["*"] with allow_credentials=True — any website could steal user sessions
Stored XSS via innerHTML
User-supplied markdown rendered via innerHTML without sanitization
Wildcard CORS on 10 edge functions
Including password reset, billing, and user deletion endpoints
4-stage pipeline. Sub-3-second scans.
The fast pass catches obvious patterns instantly. AST analysis understands code structure — it knows the difference between a parameterized query and a string-interpolated one. Registry checks verify your dependencies actually exist. The report deduplicates, scores severity by context, and detects vulnerability chains.
One command. Zero config.
Zero install
npx vchkGlobal install
npm install -g vchkCI/CD
npx vchk --ci --severity criticalname: vchk
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx vchk --ci --severity criticalOpen source. MIT license. No telemetry.
vchk is fully open source. No data leaves your machine. No API calls except to npm/PyPI registries to verify packages exist. No analytics, no tracking, no signup required. The code is on GitHub — read every line.