Original research · July 2026
The state of vibe-coded security
We ran the Merge Risk scanner over 150 public apps built with AI coding tools. Most were fine. But a stubborn share ship the one mistake that ends a weekend project: a working key, sitting in the code, readable by anyone.
Most pass. The tail is the problem.
83% earned an A. That's the honest headline, and it's good news — AI tools are not leaking secrets in the average project. But security isn't an average. One committed admin key is a full breach, and 12 of 150 repos (8%) earned a straight F.
What the AI leaves behind
The pattern is consistent. The code works, the app runs, the demo is clean — and a secret rides along, because nothing in the build process stops it. The usual suspects:
- A live key in a committed file. Stripe, OpenAI, a database URL with credentials — pasted in to make it work, then never moved to an environment variable.
- The admin key in the wrong place. A Supabase
service_rolekey that ignores every access rule, wired into client code where the browser can read it. - The half-fix. A secret deleted from a file in a later commit — but still sitting in the git history, still valid, one clone away.
One number we won't give you
You'll see security tools claim huge percentages of “wide-open databases.” We could have. We didn't, because our live database probe only fires when a repo commits a usable connection URL and public key together — and most don't, so we simply couldn't test most of them. A low number there means rarely testable, not proven safe. We'd rather report 14% we can stand behind than a scary one we can't.
Is your app in the 14%?
Paste your repo and find out in ten seconds. We don't guess — we call your keys and ask your database, then tell you exactly what to fix. Free, no signup.
Scan your repo