VibeShield 1.0 is live

Find exposed risks before attackers do.

Scan your live app URL and surface high-impact security mistakes fast. Clear evidence, plain-English fixes, premium reports.

Download for Mac Download WP Plugin Trial

macOS 12.0 or later

vibeshield-scan

indie-startup.com

Scan completed just now. Found 2 critical issues.

Critical
2
Warning
4
Passed
18

Supabase Anon Key exposed with no RLS

Your public URL exposes the Supabase Anon Key, but Row Level Security (RLS) is disabled on the `users` table. Anyone can read your database.

Found in main.js

Firebase Realtime DB allows public reads

Security rules are set to `".read": true`. This exposes all user data publicly.

Development source maps found

Source maps are accessible, exposing your original unminified source code.

Every day an exposed endpoint stays live is another day you can lose your app.

Most costly incidents are simple misconfigurations: public database rules, weak auth boundaries, leaked source maps, broad CORS. VibeShield helps you catch and close these fast, before launch momentum turns into incident cleanup.

What one exposed release can cost you

Hour 0

A misconfiguration ships with your latest deploy.

24 Hours

Bots discover exposed routes, metadata, or data access edges.

72 Hours

User trust drops as incidents become visible and support load spikes.

Week 1

Revenue slows while you pause roadmap work to recover.

Runs locally on Mac

Native performance, zero lag.

No cloud scanning

Your code stays on your machine.

Unlimited scans

Scan as often as you ship.

Find what's exposed
before someone else does.

VibeShield runs safe local probes and scanner heuristics tuned for modern stacks shipping fast.

Live URL Scanning

Scan production, staging, or localhost targets exactly as they are deployed, then surface evidence-backed findings with confidence scoring.

BaaS Misconfigs

Detects Supabase, Firebase, and Convex exposure patterns, plus CORS/auth boundary issues, source maps, GraphQL surfaces, and route leaks. Detects exposed API keys/token-like secrets in public client code and routes.

Plain-English Fixes

No heavy security jargon. Get clear fix guidance, actionable steps, and optional Apple Intelligence or cloud AI suggestions when you want deeper help.

PDF
Markdown

Exportable Reports

Export polished reports to PDF, Markdown, HTML, or JSON. Perfect for client handoff, issue tracking, and audit history.

Scan like a hacker,
fix like a pro.

We designed VibeShield for "vibe coders" who ship fast. No complex auth flows or CI/CD integrations required.

1

Enter your live URL

Point VibeShield at your production or staging domain. Localhost works too.

2

Run the deep scan

VibeShield runs multiple safe scanners in parallel to inspect public config, routes, headers, auth boundaries, and stack-specific exposure signals.

3

Apply the fixes

Copy fix steps/snippets directly into your vibe-coding tool (Claude, Codex, etc.) and work alongside it to ship the remediation quickly.

Supabase RLS Disabled

Critical Severity Detected in 2.1s

The Issue

Your Supabase project exposes the anonymous key, which is normal. However, the users table does not have Row Level Security enabled. This allows any visitor to query the entire table.

How to Fix

SQL Fix
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- Allow users to only read their own data
CREATE POLICY "Users can read own data"
ON users FOR SELECT
USING (auth.uid() = id);

Inside VibeShield

Click any shot to zoom in and browse the full set.

Simple pricing.
No subscriptions.

Pay once, scan forever. Save hours of manual debugging and secure your app before launch.

Lifetime License
$49 USD

Launch pricing: $49, then will increase to $79 as v1 matures.

  • Unlimited local scans
  • Supabase, Firebase, Convex checks
  • Detailed plain-English fix guidance
  • PDF, Markdown, HTML, and JSON exports
  • Local-first scanning + optional AI providers
  • Apple Intelligence on-device option in remediation flow
  • Scan history and re-run workflows

Requires macOS 12.0 or later.

FAQ

Does VibeShield send my app data to your servers?

No. Scanning is local-first on your Mac. Optional AI requests only run when you explicitly trigger them.

Does VibeShield check exposed API keys?

Yes. VibeShield detects exposed API keys and token-like secrets in public client code and routes.

Can I use Apple Intelligence instead of cloud AI?

Yes. VibeShield includes an Apple Intelligence on-device option and local pre-written guidance, so AI is never a hard dependency.

How do I apply fixes quickly with my vibe coding workflow?

Each finding includes copy-ready evidence and fix guidance. Paste that into your coding assistant to implement remediation faster while keeping control of final changes.

What report formats are included?

PDF, Markdown, HTML, and JSON are included in-app so you can share findings with teammates or clients instantly.