Original research · July 2026

The state of vibe-coded security

We ran the Merge Risk scanner over 150 public apps built with AI coding tools. Most were fine. But a stubborn share ship the one mistake that ends a weekend project: a working key, sitting in the code, readable by anyone.

1 in 7
14% had an API key or secret committed straight into their code.
9%
scored a D or an F — a failing security grade on a first look.
2%
exposed a Supabase service_role key — the admin key that ignores every access rule.

Most pass. The tail is the problem.

83% earned an A. That's the honest headline, and it's good news — AI tools are not leaking secrets in the average project. But security isn't an average. One committed admin key is a full breach, and 12 of 150 repos (8%) earned a straight F.

A
125
B
2
C
9
D
2
F
12

What the AI leaves behind

The pattern is consistent. The code works, the app runs, the demo is clean — and a secret rides along, because nothing in the build process stops it. The usual suspects:

One number we won't give you

You'll see security tools claim huge percentages of “wide-open databases.” We could have. We didn't, because our live database probe only fires when a repo commits a usable connection URL and public key together — and most don't, so we simply couldn't test most of them. A low number there means rarely testable, not proven safe. We'd rather report 14% we can stand behind than a scary one we can't.

Method. 150 public repositories, sampled in July 2026 as public repos pairing Supabase with a JS framework, recently pushed, under 40 stars. Each was scanned with the same engine that powers this site: committed-secret detection, git-history reads, a live Row-Level-Security probe where a public key was available, and framework-specific checks. No repository is named here. “Committed a secret” counts a critical or high-severity key finding; we did not mass-verify whether each key still works, so treat that figure as a floor, not a ceiling.

Is your app in the 14%?

Paste your repo and find out in ten seconds. We don't guess — we call your keys and ask your database, then tell you exactly what to fix. Free, no signup.

Scan your repo