Is Vibe Coding Safe for Production? What You Need Before You Ship
Vibe coding speed is real. The security debt is invisible until it isn't. Add Semgrep and Trufflehog to your CI before any repo goes to production. Both run in GitHub Actions, take under 30 minutes
I had a client ask me this last week. They’d built a working app using Claude — Node.js, Express, SQLite, OpenRouter API calls — in about three days. It looked clean. The demo ran fine. They wanted to go live.
I told them: not yet.
Not because AI-generated code is bad. It isn’t. But “works on my machine” and “safe for production” are two completely different bars, and vibe coding optimises for the first one. Here’s what the second one actually requires.
The Wrong Mental Model: Reviewing AI Code Like Human Code
Most developers review AI-generated code the same way they review a colleague’s pull request. They check logic, naming, structure. They run the tests. If it looks reasonable, it ships.
That mental model misses the specific failure modes AI code introduces. An experienced developer doesn’t usually hallucinate a dependency. An LLM does it confidently, every session.
The Five Things AI Code Gets Wrong By Default
1. Hallucinated dependencies
AI agents install packages that don’t exist, or that have been typo squatted by a malicious lookalike. One bad entry in package.json is a supply chain attack waiting to happen. You need to verify every generated dependency against the actual registry before the first npm install.
2. Insecure defaults
LLMs optimise for demos that pass. That means hardcoded credentials, open CORS (*), disabled SSL verification, world-readable file permissions. None of these crash your app in development. All of them are security holes in production.
3. Hidden routes and endpoints
AI scaffolding frequently creates debug routes, admin interfaces, or test endpoints the developer never asked for and doesn’t know exist. Review the full route list, not just the routes you remember asking for.
4. Outdated CVE patterns
Models train on historical code. They reproduce vulnerable patterns — old JWT libraries, deprecated crypto implementations, ORM usage that’s susceptible to SQL injection — that have since been patched upstream. The code looks normal. It isn’t.
5. Secrets in the repo
API keys, .env files, and connection strings end up committed when AI handles scaffolding. Check your git history before the repo goes anywhere near a remote.
The Three-Layer Fix
You don’t need to manually audit every line. You need to automate the right checks.
Layer 1 — Automated scanning (must-have, set up before first deploy)
Run these in CI/CD. Not once manually — on every push.
Layer 2 — AI-specific checklist before go-live
Go through this before shipping any vibe-coded project:
No hardcoded secrets — env vars only
Every AI-generated package verified on npmjs/pypi
No undocumented debug/admin routes
CORS locked to specific origins (not
*)Auth middleware actually applied (not just written — test it)
All DB queries use parameterised inputs
File uploads validated server-side
Rate limiting on all public endpoints
Error messages don’t leak stack traces to the client
.envand config files confirmed in.gitignore
Layer 3 — Manual pen test for apps handling real user data
If your app touches user data, payments, or third-party API keys, one day of manual testing on the API layer is worth it. Automated scanning catches pattern-level issues. Business logic flaws — the kind AI agents commonly introduce — need a human to find.
For ZhiFuuAsk-style apps using Stripe: API key exposure, missing auth middleware on scaffolded routes, and dependency confusion are the three highest-risk areas. Check those first.
The Honest Summary
Vibe coding speed is real. The security debt is invisible — until it isn’t.
Add Semgrep and Trufflehog to your CI before any repo goes to production. Both run in GitHub Actions, take under 30 minutes to set up, and catch the most common AI coding mistakes automatically.
The checklist above takes maybe an hour on a small project. That’s a cheap insurance policy for something you’re putting your name on.
Building with AI and not sure if your setup is production-ready? Drop your stack in the comments — happy to flag the specific risks.


