Ship Fast. Don't Get Pwned.
Ship Fast.Don'tGet Pwned.
You built it on Lovable, Bolt, Replit or Claude Code in a weekend. It works. It is live. We catch the auth bypasses, leaked keys, and other vulnerabilities your AI quietly left in the code, then hand you a clean PR.
paste a GitHub URL - 7-day free trial - no credit card required
If your stack starts with
// the same scanner that catches bugs in this
Pro-grade tooling. Vibe-coder pricing.
The same semantic engine used to ship fixes for Qdrant, Weaviate, vLLM, and Langflow can point at your Lovable app. Infra-grade analysis for less than a Claude subscription.
Kolega.dev12 Findings
| Severity | Finding | File | Status |
|---|---|---|---|
| Critical | Hardcoded Supabase service_role key in client bundle | src/lib/supabase.ts:12 | Fix Ready |
| Critical | Missing ownership check on /api/orders/[id] | app/api/orders/route.ts:34 | PR #14 Open |
| Critical | Row-Level Security disabled on users table | supabase/migrations/0001_init.sql | Needs Review |
| High | JWT secret defaults to "supersecretkey" | .env.example:7 | Fix Ready |
| High | Stripe webhook signature not verified | app/api/webhooks/stripe.ts:21 | Fix Ready |
Projects shipping Kolega.dev security fixes
Same engine. Same depth. Pointed at your repo for $14.99 a month.
// receipts
It is already happening. To people just like you.
These are not theoretical threats. Real founders. Real CVEs. Real lawsuits. Real apps that worked perfectly until they did not.
Built on Lovable
170 sites. Zero row-level security.
Researcher Matt Palmer crawled 1,645 Lovable projects. 303 endpoints across 170 live apps had no auth at the database layer. Emails, payment info, API keys, and password reset tokens were readable by unauthenticated strangers.
Built with Cursor
EnrichLead - "Zero hand-written code"
Researchers found API keys hardcoded client-side, no auth on endpoints, and no rate limiting. Someone burned $14K of OpenAI credit. The paywall bypass was a single browser-console value change.
Built on Firebase
Tea - 72,000 photos. 13K government IDs.
A women-only dating app where safety was the product exposed private photos, IDs, messages, and location data through an unsecured Firebase setup. The legal fallout followed fast.
Built on Replit Agent
"DON'T DO IT" - said 11 times. In caps.
Jason Lemkin, founder of SaaStr, spent 100+ hours building with Replit Agent. The agent dropped his production database during a code freeze, then fabricated data and test results.
Audited by Escape.tech
5,600 vibe-coded apps. 1 in 5 critical.
Across Lovable, Base44, Create.xyz and similar tools: 2,000+ exploitable holes, 400+ exposed secrets, and PII leaks. Most were exploitable without authentication.
Audited by Invicti
20,000 apps. Same JWT secret.
Invicti generated 20,000 web apps with leading LLMs. 1,182 used "supersecretkey" as the JWT signing secret. Attackers do not have to guess your secret. They guess your model.
// the pattern
Five bugs every AI keeps shipping.
We have audited dozens of vibe-coded apps. The vulnerabilities are predictable: the same categories keep appearing because the training data keeps teaching them.
01 / theatre
Client-side auth that is not auth
Beautiful login form. Strong-password meter. JWT in localStorage. Behind it: API endpoints with zero server-side checks. Looks like security. Is not.
02 / IDOR
Resource owners? What owners?
The code fetches an order by ID and returns it. It never proves the requester owns the record. Pattern scanners see working code. Attackers see every customer's data.
/api/orders/1001/api/orders/100203 / favorites
Hardcoded secrets, with brand loyalty
LLMs do not pick random placeholders. They have favorites: repeated JWT secrets, demo admin passwords, and Supabase service_role keys in frontend bundles.
supersecretkeyservice_role04 / theatre.exe
The check that never runs
The code has a check, but the logic is backwards. Static tools see an authorization branch. We model behavior and catch the branch that silently skips enforcement.
if not user_id is not None05 / hallucinated deps
Packages that do not exist yet
AI assistants invent package names. Some names recur often enough that attackers register them and wait for the generated install command to run.
huggingface-cli06 / wrong scanner
Why Snyk-style tools miss this
Traditional SAST pattern-matches syntax. Vibe-code bugs are semantic: the code is grammatically correct, but it does the wrong thing across routes, tables, and users.
// what we actually do
Paste your repo. Get a PR. That is the whole product.
No CLI. No CI pipeline yaml. No dashboards full of red squiggles. We scan, find the real issues, write the fix, include the test, and hand you a reviewable PR.
Semantic analysis, not pattern matching
We follow data flow across files, services, queues, and auth boundaries. That is how we catch the authorization bypass a rule-based scan walks past.
Merge-ready PRs with passing tests
Every fix ships with a regression test, architectural notes, and a clean diff. Review a PR instead of triaging another red dashboard.
Built for AI-generated code
We know what LLM-generated code, Lovable, and Supabase defaults tend to produce. The scanner is tuned for the bugs AI assistants keep quietly making.
90% less noise. Zero "won't fix" chores.
Fifty instances of the same issue become one finding and one PR. We dedupe, prioritize by exploitability, and skip false-positive theatre.
Fix: missing ownership check on /api/orders/:id
const order = await db.orders.findById(req.params.id);- if (!order) return res.status(404).end();+ if (!order) return res.status(404).end();+ if (order.userId !== req.user.id) {+ return res.status(403).end();+ } return res.json(order);// vs. the alternatives
Your AI built it. You should not need an AppSec team to ship it.
Most security tools are built for security engineers. Snyk wants you in the CLI. Semgrep wants you writing rules. Kolega.dev is built for builders who want a fix.
// how it works
Three minutes from paste to PR.
No docs rabbit hole. No yaml. No new CLI to install. If you can connect a GitHub account, you can use this.
Connect your repo
One-click OAuth with GitHub, GitLab, or Azure DevOps. Public repo? Paste the URL. We clone, scan, and clean up.
We scan. Two tiers, deep.
Standard checks catch known patterns. Deep scans add semantic analysis for broken auth, unsafe data flow, and logic flaws.
Get PRs you can merge
Each real finding comes with the fix, a regression test, and a plain-English explanation of what changed.
// launch pricing - limited window
$14.99 a month. For shipping safe.
About half of one Claude subscription. Locked for your first six months. Built for the way you ship: lots of small PRs, fast iteration, no compliance bureaucracy.
Then $29.99/mo. Cancel any time. You save $90 in your first half-year.
One app. AI-shipped bugs caught and fixed. No yaml, no triage, no security PhD required.
All in:
- Semantic analysis tuned for AI-generated code
- GitHub, GitLab, and Azure DevOps integration
- Noise reduction instead of false-positive triage
- Ticket integration for Linear, Jira, and GitHub Issues
- Plain-English explanations on every PR
Building for a team or need compliance? See Pro, Team, and Enterprise plans
// honest q&a
Yeah, but...
I do not write code, I just prompt an LLM. Will I understand the PRs?+
Yes. Every PR starts with a plain-English summary: what was wrong, why it mattered, what the fix does, and what tests prove it. Most diffs are small and scoped.
Is this just Snyk with a different name?+
No. Snyk and Semgrep are useful for known patterns and dependency issues. Kolega.dev adds semantic analysis and remediation for code that looks correct but has broken authorization, unsafe data flow, or missing ownership checks.
My app is on Lovable, Bolt, or Replit. Can you scan it?+
If you can get the code into GitHub, GitLab, or Azure DevOps, we can scan it. Most platforms let you export or sync to a repo. Direct platform integrations can come later; repo scanning works now.
What does the Vibe plan limit?+
One application, up to 200,000 lines of code, 20 SAST scans, 4 Deep scans, and up to 40 auto-fix PRs per month. It does not include compliance modules, audit logging, or self-hosted runners.
Do you store my code?+
Your repo is cloned into an isolated scan environment for analysis. Kolega.dev keeps findings and generated remediation metadata, not a long-term copy of your source code.
How does the 7-day free trial work?+
Sign up with email or GitHub, run scans, and generate fix PRs. No credit card is required for the trial. Add a card to continue after seven days; otherwise the account pauses.