Vibe App Scanner vs Vibeship

Q: Can I use both Vibe App Scanner and Vibeship?

Yes! They're complementary tools. Use Vibeship for source code analysis during development, and Vibe App Scanner to test your deployed app for runtime vulnerabilities like missing RLS policies.

Two different approaches to securing vibe-coded apps. One scans your deployed app, the other scans your source code. Which is right for you?

Get Starter Scan

Key Difference: Code Access

Vibe App Scanner doesn't require access to your code. Many developers are hesitant to connect their repos to third-party tools. VAS scans your deployed application without needing GitHub OAuth - a real privacy advantage. Vibeship requires repository access to perform its source code analysis.

Feature Comparison

Feature	Vibe App Scanner	Vibeship Scanner
Repo access required	No	Yes (GitHub OAuth)
Scanning approach	DAST (deployed apps)	SAST (source code)
Supabase RLS checks
Open source
AI fix prompts
Works with private repos	(scans URL)	(public only*)
Runtime vulnerability detection

* Vibeship can scan private repos if you self-host the scanner

What is Vibeship?

Vibeship Scanner is an open-source security scanning tool built by @meta_alchemist / Seedify. It's part of a larger ecosystem that includes Vibeship Mind (memory) and Vibeship Spawner (skills).

The scanner uses a combination of security tools:

Opengrep - SAST (Static Application Security Testing)
Trivy - Dependency vulnerability scanning
Gitleaks - Secrets detection in code
npm audit - Node.js dependency checks

Vibeship claims to detect 2,000+ vulnerability types across 3,500+ security patterns. It generates a "Master AI Fix Prompt" that you can use with Claude or Cursor to fix issues. The scanner is available at scanner.vibeship.co and the source code is on GitHub at vibeforge1111/vibeship-scanner.

What is Vibe App Scanner?

Vibe App Scanner (VAS) is a DAST (Dynamic Application Security Testing) tool specifically designed for apps built with AI code generation tools like Lovable, Bolt.new, Cursor, and Replit.

Instead of scanning source code, VAS scans your deployed application - the actual running app that users interact with. This means:

No code access required - Just provide your URL
Tests real-world security - Checks if RLS policies actually work
Finds runtime issues - Exposed API keys, missing headers, database misconfigurations
Supabase/Firebase specific - Deep testing for BaaS security

VAS discovered the vulnerabilities behind CVE-2025-48757, which affected 170+ Lovable applications with exposed databases.

Key Differences Explained

DAST vs SAST

DAST (VAS) tests your running application from the outside, like an attacker would. It can find issues that only appear at runtime, like misconfigured database permissions.

SAST (Vibeship) analyzes source code without running it. It's great for finding code-level issues but can't test runtime configurations.

Privacy & Access

VAS only needs your deployed URL. Your source code stays private. No GitHub OAuth, no repo access.

Vibeship requires GitHub OAuth to access your repository. If you're uncomfortable with third-party code access, you can self-host.

When to Use Each Tool

Use Vibeship when:

Working on open source projects
You want AI-generated fix prompts during development
Comfortable granting repo access to third parties
Need dependency vulnerability scanning

Use Vibe App Scanner when:

You don't want to share your source code
Using Supabase and need RLS policy testing
Want to test your deployed app before launch
Need to verify runtime security configurations

Can You Use Both?

Yes! VAS and Vibeship are complementary tools that address different aspects of security:

Use Vibeship during development to catch code-level issues and get AI-generated fixes
Use VAS before deployment to test your actual running application
SAST finds issues in code, DAST finds issues in configuration and runtime behavior

For the most comprehensive security coverage, using both SAST and DAST tools is a security best practice.

Frequently Asked Questions

What's the main difference between Vibe App Scanner and Vibeship?

Vibe App Scanner scans deployed applications (DAST) without needing code access, while Vibeship scans source code (SAST) and requires GitHub OAuth access to your repository. VAS tests your app as users see it; Vibeship analyzes the code before deployment.

Do I need to give Vibeship access to my code?

Yes, Vibeship requires GitHub OAuth access to scan your repository. If you're concerned about privacy, you can self-host the scanner. Vibe App Scanner only needs your deployed URL - no code access required.

Which scanner checks Supabase RLS policies?

Vibe App Scanner actively tests Supabase RLS policies by attempting to access data without authentication. This was how CVE-2025-48757 (affecting 170+ Lovable apps) was discovered. Vibeship's SAST approach cannot test runtime database security - it can only see the code, not how the database is actually configured.

Is Vibeship open source?

Yes, Vibeship Scanner is open source on GitHub (vibeforge1111/vibeship-scanner). You can self-host it if you prefer not to use their hosted service. Vibe App Scanner is a commercial product with a free tier for basic scans.

Can I use both tools together?

Absolutely! They're complementary. Use Vibeship for source code analysis during development, and Vibe App Scanner to test your deployed app for runtime vulnerabilities. SAST + DAST together provides the most comprehensive security coverage.

Ready to Scan Your Deployed App?

No code access required. Just enter your URL and get a comprehensive security report in minutes.

Get Starter Scan View Sample Report

Last updated: January 15, 2026