vchk — Security Scanner for AI-Generated Code Security for AI Code Your AI wrote the code. Who checked the security? vchk finds the vulnerability patterns that AI coding tools systematically introduce — SQL injection, hardcoded secrets, XSS, hallucinated packages, and more. Try it in your browser $ npx vchk copy 45% of AI code has security flaws Veracode 5.1× more SQL injection with AI Perry et al. 1 in 5 breaches from AI code Aikido 2026 vchk — scanning main.py 1 import sqlite3 2 import random 3 4 API_KEY = "sk-proj-abc123def456ghi789" 5 6 def get_user (username): 7 query = f "SELECT * FROM users WHERE username = '{username}'" 8 cursor.execute(query) 9 return cursor.fetchone() 10 11 def generate_token (): 12 return str(random.randint( 100000, 999999 )) Findings CRITICAL VC-018 L 4 Hardcoded API Key API key embedded in source code CRITICAL VC-001 L 7 SQL Injection via String Interpolation f-string in SQL query with user input HIGH VC-025 L 12 Weak Random Number Generator random.randint() used for token generation 3 findings: 2 critical · 1 high · Scanned in 0.3s The Problem AI writes fast. It doesn't write safe. 01 It copies insecure patterns AI models trained on millions of repos — including millions of insecure ones. When you ask for a database query, you get string concatenation because that’s what appeared most in training data. The code works. The vulnerability is invisible. 02 It makes you overconfident Stanford research found that developers using AI assistants believe their code is MORE secure while actually producing LESS secure code. The code looks clean, passes basic tests, and gets merged without scrutiny. 03 Existing tools weren’t built for this ESLint, Semgrep, Snyk — built for human-written code. They miss the specific patterns AI produces: hallucinated packages that don’t exist, “almost right” auth flows, tests that only test the happy path. Detection Rules 8 rules. Zero false positives. CRITICAL SQL Injection String concatenation in database queries instead of parameterized queries query = f"SELECT * FROM users WHERE name = '{name}'" CRITICAL Hardcoded Credentials API keys, passwords, and secrets embedded directly in source code API_KEY = "sk-proj-a8f3..." CRITICAL Missing Authentication API endpoints handling sensitive data with no auth middleware app.delete( '/api/users/:id', handler) CRITICAL Hallucinated Packages Dependencies that don’t exist in npm/PyPI — AI invented the name "flask-security- utils": "^2.1.0" HIGH Cross-Site Scripting dangerouslySetInnerHTML, innerHTML with unsanitized user content res.send( `

${req.query .q}

`) HIGH Weak Randomness Math.random() and random.randint() used for security tokens token = str( random.randint( 100000, 999999)) HIGH Permissive CORS origin: '*' allowing any website to call your API app.use(cors()) MEDIUM Log Injection User input written directly to logs without sanitization logger.info( f"User: {user}") Real Results Tested against 12 real vibe-coded projects. 12 repos scanned 22 vulnerabilities found 0% false positive rate <3s scan time HIGH VC-048 src/server.py:14 Permissive CORS with credentials allow_origins=["*"] with allow_credentials=True — any website could steal user sessions HIGH VC-003 components/Preview.jsx:47 Stored XSS via innerHTML User-supplied markdown rendered via innerHTML without sanitization CRITICAL VC-048 supabase/functions/*/index.ts Wildcard CORS on 10 edge functions Including password reset, billing, and user deletion endpoints Architecture 4-stage pipeline. Sub-3-second scans. Stage 1 Fast Pass regex <100ms Stage 2 AST Analysis Babel <2s Stage 3 Registry Check npm/PyPI <1s Stage 4 Report dedup + score <10ms 0 1 Fast Pass regex <100ms 0 2 AST Analysis Babel <2s 0 3 Registry Check npm/PyPI <1s 0 4 Report dedup + score <10ms The fast pass catches obvious patterns instantly. AST analysis understands code structure — it knows the difference between a parameterized query and a string-interpolated one. Registry checks verify your dependencies actually exist. The report deduplicates, scores severity by context, and detects vulnerability chains. Get Started One command. Zero config. Terminal — zsh Zero install npx vchk Global install npm install -g vchk CI/CD npx vchk --ci --severity critical .github/workflows/vchk.yml name : vchk on : [push, pull_request] jobs : scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - run : npx vchk --ci --severity critical Open source. MIT license. No telemetry. vchk is fully open source. No data leaves your machine. No API calls except to npm/PyPI registries to verify packages exist. No analytics, no tracking, no signup required. The code is on GitHub — read every line. GitHub npm Playground