Get roasted before the internet does.

The vibecode security scanner. Free. Fable 5. Limited spots daily.

See your letter grade in ~30 seconds. Free. Made by First-Tree. The scanner is open-source

What you get back

A letter grade, a one-line verdict, and every blocker roasted — each with a real file:line receipt. Screenshot-worthy on purpose.

Ready to launch Almost there Not yet Do not launch
╔════════════════════════════════════════════════════════╗
║                                                        ║
║   ★  "Almost shippable. Attackers will love it."  ★    ║
║                                                        ║
╠════════════════════════════════════════════════════════╣
║                                                        ║
║   LAUNCH READINESS                       ┌─────────┐   ║
║   your-repo                              │    D    │   ║
║   Launch-ready tier                      └─────────┘   ║
║                                                        ║
║   ███░░░░░░░   34 / 100   ·   Do not launch            ║
║   2 Critical   1 High   0 Medium   1 n/a               ║
║                                                        ║
╚════════════════════════════════════════════════════════╝

  crit [x]  Your .env is in the repo. So is everyone else's now.
            .env:1 — 12 live keys committed (stripe, supabase…)

  HIGH [x]  Congrats — you built a free brute-force playground.
            api/auth/device/start.ts:12 — no rate limiter

  HIGH [x]  CORS set to * — you invited the whole internet in.
            server/app.ts:8 — Access-Control-Allow-Origin: * (creds)
First Tree fixes every blocker for you → Fix it in First Tree

How it works

  1. 1

    Paste your repo

    A public GitHub URL. No signup, no install — the scan reads your code, it never runs it.

  2. 2

    Get roasted, with receipts

    A letter grade and a savage scorecard across 8 security & production checks — every joke welded to a real file:line finding.

  3. 3

    Fix it in one move

    First Tree files an issue per blocker and fixes them for you — so the roast ends with a shipped repo, not a screenshot.

What we actually check

The 8 places vibe-coded apps get owned at launch. We audit only the ones your project has — a static site won't get grilled on auth.

Get roasted before the internet does.

Paste a repo, get your letter grade in ~30 seconds.

We roast the code, never you — every finding is a static read of your public code, with real file:line evidence. The scanner is open-source.