SAMPLE REPORT
Not a vague AI review. Not a linter dump. VibeCodeXray returns deterministic findings with files, evidence, severity, and plain-English context so you can decide what to fix before shipping AI-generated code.
1
critical security issue
7
medium/high findings
42
files inspected
100%
evidence-backed findings
FINDINGS
These examples mirror the patterns AI assistants produce constantly: code that runs, demos nicely, and quietly stores a rake in the grass for production.
EVIDENCE
The handler concatenates searchParams.get("q") directly into a raw SQL string before calling db.query().
WHY IT MATTERS
AI-generated CRUD endpoints often look harmless in demos. In production, this pattern can leak customer data or allow destructive queries.
FIX DIRECTION
Use parameterized queries and validate the accepted search shape before it reaches the database layer.
EVIDENCE
The route checks for a session, then deletes by project id without verifying that project.userId matches session.user.id.
WHY IT MATTERS
This is the classic vibe-coded auth bug: login exists, but authorization is missing where the dangerous action happens.
FIX DIRECTION
Scope the delete query by both project id and authenticated user id, then return 404 for non-owned records.
EVIDENCE
The component loads projects, then fetches findings separately inside a loop for each project card.
WHY IT MATTERS
It works with three demo rows. It becomes slow and expensive once a real user has a few dozen scans.
FIX DIRECTION
Fetch aggregated finding counts in one query and pass the summary into the dashboard cards.
EVIDENCE
The file contains formatting helpers, auth helpers, validation rules, and billing constants in one shared module.
WHY IT MATTERS
AI assistants frequently dump convenient helpers into one file. That makes future changes riskier because everything imports everything.
FIX DIRECTION
Split auth, billing, formatting, and validation helpers into focused modules before the dependency graph hardens.
REMEDIATION PLAN
A useful audit should shorten the path from scary finding to owner-ready fix. VCX turns raw scan output into a practical review packet for founders and engineering teams working with AI-generated code.
Critical and high findings are grouped by production risk first, not by whatever file happened to be scanned first.
OUTPUT
Priority list with owner-ready file paths and fix direction
Each item includes the observed pattern and the concrete code location so reviewers can reproduce the concern quickly.
OUTPUT
Finding cards with evidence, affected route/module, and severity
The report separates blocking issues from cleanup work so teams can decide whether to ship, pause, or scope a hardening sprint.
OUTPUT
Ship / fix-before-launch / monitor guidance for the repo
HANDOFF CHECKLIST
The sample report is not just a list of warnings. It shows the operating order for an AI-built app: block launch risk first, keep evidence attached, assign the work, and verify the repository again after fixes.
BLOCKERS FIRST
Critical and high findings get fixed before launch claims, investor demos, or payment flows are treated as production-ready.
EVIDENCE RETAINED
Each fix keeps the original file path, rule, observed pattern, and reviewer note attached so the next pass can confirm the risk changed.
OWNER-READY WORK
Findings are grouped into security, dependency, performance, and maintainability lanes so a founder can hand the right work to the right engineer.
RE-SCAN DECISION
After fixes, teams rerun the audit against the updated repository instead of assuming the AI-generated patch removed the original risk.
COVERAGE
AI-generated projects fail differently: missing authorization after beautiful authentication, generated data access patterns that do not scale, and duplicated glue code that nobody remembers asking for. VCX checks those patterns directly.
Free tier, no credit card, and enough audits to find out whether your AI-built app is production-ready or just wearing a nice landing page as a disguise.
Start free