The practical guide to shipping AI-generated code with confidence.

We ship AI-generated code every day. It works. It's fast. And after scanning hundreds of repos built this way, we know exactly where it breaks.

It doesn't break everywhere. It breaks in six specific places. Fix those six things and your vibe-coded app is production-ready. Skip them and you're one curious user away from a breach.

This is the guide we wish existed when we started. No theory. Just the six things that actually matter and how to set each one up.

Block secrets before they hit the repo

The single fastest path to a breach is a hardcoded credential in your codebase. AI models reproduce placeholder values from their training data. "supersecretkey" as a JWT secret. Default database passwords. API keys copied from tutorial repos. They generate working code with working credentials that happen to be shared with thousands of other apps trained on the same data.

The fix is a pre-commit hook. One file in your repo. Takes two minutes.

1# .pre-commit-config.yaml
2repos:
3  - repo: https://github.com/gitleaks/gitleaks
4    rev: v8.18.0
5    hooks:
6      - id: gitleaks

This runs in under 2 seconds on every commit. If a credential shows up, the commit fails. Your secrets move to environment variables, your .env files stay gitignored, and anything that already touched the repo gets rotated.

One specific thing to check right now: If you're using Supabase, run grep -r "service_role" src/. LLMs constantly mix up the anon key (safe for frontend) and the service_role key (bypasses all Row Level Security). We see the wrong key in client-side bundles in about 1 in 8 Supabase projects we scan. If it's there, rotate it today.

Verify your dependencies actually exist

When your AI suggests npm install some-package, that package might be hallucinated. It doesn't exist on npm. But an attacker might have registered it after noticing models keep suggesting it.

This already happened. A hallucinated npm package called react-codeshift spread to 237 repositories, with daily install attempts coming from AI coding agents pulling it automatically.

Before you deploy, you need a full SBOM and SCA scan against every dependency. Verify that each package actually exists on the real registry and isn't abandoned or compromised. This takes about five minutes with the right tooling in CI. It catches both the hallucinated packages and the known-vulnerable ones the AI pulled from outdated training data.

Test auth without the frontend

This is the one that gets people. Your login page works. The dashboard loads. Everything looks secure. But when you hit the API directly with curl, there's nothing there.

The pattern is always the same: the AI builds a beautiful login form, handles the UI flow correctly, and never implements server-side authorization. The login is cosmetic. The API is wide open.

Pick up curl or Postman. Hit every endpoint that returns user-specific data. Authenticate as user A, change the ID in the request, see if you get user B's data. If you do, that's an IDOR and your AI almost certainly didn't prevent it.

Four things to verify:

Server-side auth exists. Not just a client-side check. The API itself rejects unauthenticated requests.

Row Level Security is on. If you're on Supabase or any Postgres setup, RLS should be enabled on every table that holds user data. Not just the users table. Every table.

Session tokens are validated on every request. Not just on login. Every subsequent API call checks the token server-side.

Role checks happen at the API. If you have admin endpoints, they check roles at the route level. Not in the UI. Not in a middleware that got added to three of your seven admin routes.

This testing would have prevented most of the vibe coding breaches this year.

Add semantic analysis for business logic

Your SAST tool catches SQL injection and XSS. It doesn't catch this: a payment endpoint that accepts negative quantities. A discount code that stacks ten times. An API that returns resources without checking if the requesting user owns them.

These are logic flaws. The code is syntactically valid. No pattern rule will flag it. The business logic is simply wrong, and the AI had no way to know what the correct business logic should be.

This is where semantic analysis comes in. Instead of matching patterns, it traces data flow. Does the request go through an auth check? Does the authorization step verify ownership? Does the quantity field get validated against business rules before the transaction executes?

When you run semantic analysis alongside traditional SAST, you find 0% overlap. Completely different vulnerability class. Running both isn't redundant. It's covering different ground.

The key insight: you don't need to review every line of AI-generated code. You need a tool that understands what the code is supposed to do and flags where the implementation doesn't match the intent. That's the review that scales.

Run the full stack on every push

None of the above matters if it only happens manually, once, before launch. Security is a CI problem. It needs to run on every push, automatically, and give you a short list of things that actually need attention.

Here's the pipeline:

1Pre-commit: secret scanning
2    |
3Push to branch
4    |
5CI: SBOM + SCA + SAST + secrets
6    |
7Semantic scan: auth + logic flaws
8    |
9PR gets 5-15 prioritized findings as comments
10    |
11Focused review
12    |
13Merge

The thing that makes or breaks this: noise. If your CI spits out 500 findings and 435 are false positives, your team will stop reading them within a week. We've seen it happen over and over. The security tab gets permanently collapsed. The Slack notifications get muted.

Noise reduction isn't a nice-to-have. It's the difference between a pipeline people follow and a pipeline people bypass. Group identical violations into single tickets. Filter by exploitability. Turn 500 alerts into 15 that matter. That's the version that actually gets acted on.

Set the headers and configs the AI forgot

This one is quick but easy to miss.

AI-generated web apps regularly ship without security headers. Content-Security-Policy, X-Frame-Options, Strict-Transport-Security. These aren't obscure. They're baseline. But models don't always include them and no test fails because they're absent.

Same with CORS. Check whether your app is serving Access-Control-Allow-Origin: * with credentials enabled. That's a critical misconfiguration and LLMs set it as the default because it's the path of least resistance during development.

Five minutes to check. Five minutes to fix. Set it explicitly rather than hoping the AI remembered.

That's the list

Six things. Not sixty.

1. Pre-commit secret scanning

2. Dependency verification

3. API-level auth testing

4. Semantic analysis for business logic

5. Automated scanning on every push with noise reduction

6. Security headers and CORS set explicitly

You don't need a security team for any of this. You don't need to understand every line of AI-generated code. You need a pipeline that catches the six places where AI-generated code consistently fails, and you need it running on every push so you catch it before your users do.

The AI writes fast. The safety layer needs to keep up. When it does, vibe coding ships just fine.

You can set all of this up manually. Stitch together Gitleaks, Syft, Semgrep, Trivy, and a separate semantic analysis tool. Configure them individually. Maintain six different integrations. Triage the combined output yourself.

Or you can point Kolega.Dev at your repo and get it all done in one pass and the issues fixed as part of the process. It finds the issues, cuts 90% of the noise, and opens fix PRs you can actually merge. One scan. One pipeline. The six things handled.

Scan your repo for free and see which of the six your codebase is missing.