The vibecode security scanner. Free. Fable 5. Limited spots daily.
See your letter grade in ~30 seconds. Free. Made by First-Tree. The scanner is open-source
A letter grade, a one-line verdict, and every blocker roasted — each with a real file:line receipt. Screenshot-worthy on purpose.
╔════════════════════════════════════════════════════════╗
║ ║
║ ★ "Almost shippable. Attackers will love it." ★ ║
║ ║
╠════════════════════════════════════════════════════════╣
║ ║
║ LAUNCH READINESS ┌─────────┐ ║
║ your-repo │ D │ ║
║ Launch-ready tier └─────────┘ ║
║ ║
║ ███░░░░░░░ 34 / 100 · Do not launch ║
║ 2 Critical 1 High 0 Medium 1 n/a ║
║ ║
╚════════════════════════════════════════════════════════╝
crit [x] Your .env is in the repo. So is everyone else's now.
.env:1 — 12 live keys committed (stripe, supabase…)
HIGH [x] Congrats — you built a free brute-force playground.
api/auth/device/start.ts:12 — no rate limiter
HIGH [x] CORS set to * — you invited the whole internet in.
server/app.ts:8 — Access-Control-Allow-Origin: * (creds) A public GitHub URL. No signup, no install — the scan reads your code, it never runs it.
A letter grade and a savage scorecard across 8 security & production checks — every joke welded to a real file:line finding.
First Tree files an issue per blocker and fixes them for you — so the roast ends with a shipped repo, not a screenshot.
The 8 places vibe-coded apps get owned at launch. We audit only the ones your project has — a static site won't get grilled on auth.
.env, tokens in git history.Paste a repo, get your letter grade in ~30 seconds.
We roast the code, never you — every finding is a static read of your public
code, with real file:line evidence. The scanner is
open-source.