Two different approaches to securing vibe-coded apps. One scans your deployed app, the other scans your source code. Which is right for you?
Scan Your App NowVibe App Scanner doesn't require access to your code. Many developers are hesitant to connect their repos to third-party tools. VAS scans your deployed application without needing GitHub OAuth - a real privacy advantage. Vibeship requires repository access to perform its source code analysis.
| Feature | Vibe App Scanner | Vibeship Scanner |
|---|---|---|
| Repo access required | No | Yes (GitHub OAuth) |
| Scanning approach | DAST (deployed apps) | SAST (source code) |
| Supabase RLS checks | ||
| Open source | ||
| AI fix prompts | ||
| Works with private repos | (scans URL) | (public only*) |
| Runtime vulnerability detection |
* Vibeship can scan private repos if you self-host the scanner
Vibeship Scanner is an open-source security scanning tool built by @meta_alchemist / Seedify. It's part of a larger ecosystem that includes Vibeship Mind (memory) and Vibeship Spawner (skills).
The scanner uses a combination of security tools:
Vibeship claims to detect 2,000+ vulnerability types across 3,500+ security patterns. It generates a "Master AI Fix Prompt" that you can use with Claude or Cursor to fix issues. The scanner is available at scanner.vibeship.co and the source code is on GitHub at vibeforge1111/vibeship-scanner.
Vibe App Scanner (VAS) is a DAST (Dynamic Application Security Testing) tool specifically designed for apps built with AI code generation tools like Lovable, Bolt.new, Cursor, and Replit.
Instead of scanning source code, VAS scans your deployed application - the actual running app that users interact with. This means:
VAS discovered the vulnerabilities behind CVE-2025-48757, which affected 170+ Lovable applications with exposed databases.
DAST (VAS) tests your running application from the outside, like an attacker would. It can find issues that only appear at runtime, like misconfigured database permissions.
SAST (Vibeship) analyzes source code without running it. It's great for finding code-level issues but can't test runtime configurations.
VAS only needs your deployed URL. Your source code stays private. No GitHub OAuth, no repo access.
Vibeship requires GitHub OAuth to access your repository. If you're uncomfortable with third-party code access, you can self-host.
Yes! VAS and Vibeship are complementary tools that address different aspects of security:
For the most comprehensive security coverage, using both SAST and DAST tools is a security best practice.
Vibe App Scanner scans deployed applications (DAST) without needing code access, while Vibeship scans source code (SAST) and requires GitHub OAuth access to your repository. VAS tests your app as users see it; Vibeship analyzes the code before deployment.
Yes, Vibeship requires GitHub OAuth access to scan your repository. If you're concerned about privacy, you can self-host the scanner. Vibe App Scanner only needs your deployed URL - no code access required.
Vibe App Scanner actively tests Supabase RLS policies by attempting to access data without authentication. This was how CVE-2025-48757 (affecting 170+ Lovable apps) was discovered. Vibeship's SAST approach cannot test runtime database security - it can only see the code, not how the database is actually configured.
Yes, Vibeship Scanner is open source on GitHub (vibeforge1111/vibeship-scanner). You can self-host it if you prefer not to use their hosted service. Vibe App Scanner is a commercial product with a free tier for basic scans.
Absolutely! They're complementary. Use Vibeship for source code analysis during development, and Vibe App Scanner to test your deployed app for runtime vulnerabilities. SAST + DAST together provides the most comprehensive security coverage.
No code access required. Just enter your URL and get a comprehensive security report in minutes.
Last updated: January 15, 2026