Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
Research·Published May 31, 2026

The state of vibe-coded security

Vibe coding works. The same Y Combinator batch that taught a generation to "build fast and ship faster" is now graduating startups whose codebases are 95% AI-generated. The question this page tries to answer is what that code looks like when you stop celebrating and start auditing. The short version: not great. The longer version, with citations, is below.

Headline finding
23.8Msecrets leaked from public GitHub in 2024, up 25% year over year
Source: GitGuardian State of Secrets Sprawl 2025

Findings

25%of Y Combinator W25 startups have 95%+ AI-generated codebases

About 40 of the 160 startups in YC's Winter 2025 batch reported codebases that are almost entirely AI-generated. Vibe coding stopped being a niche workflow and became the default for early-stage product teams sometime in the last 18 months.

Source: Y Combinator W25 partner statement (via Snyk)
45%of AI-generated code samples fail basic security tests

Veracode's 2024 analysis found that 45% of AI-generated code samples introduced at least one OWASP Top 10 vulnerability. A 2023 empirical study of GitHub Copilot output found 35.8% of generated snippets contained recognized weaknesses (CWEs), with 11 of those weaknesses on the 2022 CWE Top-25 list. A Stanford user study (Perry et al., 2022) found participants with AI assistants wrote less secure code than the control group on four of five security tasks.

Source: Veracode 2024, Fu et al. arXiv:2310.02059, Stanford arXiv:2211.03622
40%higher secret-exposure rate in repos using AI coding tools

GitGuardian's 2025 report found repositories using AI coding tools leak secrets at a 40% higher rate than the baseline. The same report counted 23.8 million leaked secrets across public repos in 2024, with 96% of leaked GitHub tokens carrying write access and 70% of secrets leaked in 2022 still active today.

Source: GitGuardian State of Secrets Sprawl 2025
80%of developers believe AI tools produce more secure code than humans

Snyk's AI code security survey found roughly 80% of developers think AI-generated code is more secure than human-written code. In the same survey, 56% admitted that AI-generated code in their own projects had sometimes or frequently introduced security issues. Both statements are true at once, which is the actual problem. The Stanford study identified the same effect: developers using AI assistants were more confident their code was secure, even when it wasn't.

Source: Snyk AI Code Security Report
10%of developers run security scans on most of the AI code they ship

Only 10% of developers reported scanning most AI-generated code before shipping it. 80% admitted to bypassing a security policy at least once. 96% use AI coding assistants regularly. The math is straightforward: a lot of new code is shipping unreviewed, and the people shipping it believe it's fine.

Source: Snyk Secure Adoption in the GenAI Era
170vulnerable production sites found in a single Lovable scan session

In a public 2025 analysis, security researcher Matt Palmer reported finding 170 vulnerable production sites in one examination session of Lovable-built apps. A separate analysis demonstrated full compromise of multiple Lovable production sites in 47 minutes via misconfigured Supabase Row-Level Security policies. These are not theoretical vulnerabilities. They are public, working exploits against live consumer apps.

Source: Snyk: The Highs and Lows of Vibe Coding

What this means for vibe coders

Two things are true at once. AI editors will keep growing because they save real time, the tooling is improving fast, and the developer audience is gravitating to them. And the security of AI-generated code is meaningfully worse than human-written code on every published measure. The gap between these two trajectories is where the next generation of breaches and data leaks is going to come from. For founders shipping with Cursor, Lovable, Bolt, or v0, the cheap intervention is a security scan as part of the deploy loop, not as a one-time "before launch" event. The cost of one exposed Stripe key, or one wide-open API endpoint, is significantly higher than the cost of catching it the same day.

Methodology

This page synthesizes externally published research. Heimdall Scan does not yet publish primary research of its own. All numbers above come from the cited sources (academic papers, vendor reports, and security researcher write-ups) and are linked inline. Where two sources gave different numbers for the same question (e.g., the academic Copilot study found 35.8% vulnerability rate while Veracode found 45%) we report both so you can judge.

Heimdall Scan checks for the exact issues this research describes (exposed secrets, missing auth, broken access control, weak webhook verification, and more) on any GitHub repo in under a minute. It's free during open beta.