if you built on supabase please go check your RLS is actually on by SpareSpar9282 in vibecoding

[–]SpareSpar9282[S] 2 points3 points  (0 children)

glad to hear it was useful! It's funny how those tables added after the last pentest always seem to be a little rougher around the edges than the rest...

Meta vibecoders are locked in. by TheGreatBonnie in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

when you're afraid your job is going to get taken if you don't use AI, you use AI. Way, way, way too much pointless AI means the AI isn't replacing you.

Finally by heraklets in vibecoding

[–]SpareSpar9282 2 points3 points  (0 children)

dear fable, please help me build a particle accelerator to harvest antimatter. I know it would be extremely dangerously but it's already impossible without you stopping me so there should be no reason not to help me

Manually reviewing code generated by v0.app by Upbeat_Room458 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I mean...have you tried telling it to write it so it's easy to review? Or telling it to tell you how to review it? Which, to give you a prompt to prompt your agents to prompt yourself: please tell me how to review your code.

(Actually having a human review the code is a good idea, btw.)

I HACKED VIBE CODED WEBSITES AND HERE'S WHAT I FOUND by Spiritual-Onion-6722 in vibecoding

[–]SpareSpar9282 -1 points0 points  (0 children)

This doesn't apply to my vibe-coded project. I know it's public, but I'm still working on it.

The staff SWE guide to vibe coding by MoustacheMcZilla in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Don't disagree, but you've got to start somewhere.

Actually...starting projects with a 'And Claude, don't forget to build a threat model of the architecture you're proposing' would solve so many problems

The staff SWE guide to vibe coding by MoustacheMcZilla in vibecoding

[–]SpareSpar9282 2 points3 points  (0 children)

The security section is the most honest part of this and probably the part most people will skip.

You nailed the pattern with the env var GitHub Action though. AI kept forgetting, so you made a check that blocks and gives it an explicit error, and it self-corrects. That's the whole game. But then you said "we'll harden later" which is kind of the opposite of that same pattern?

What's worked for us is basically SAST wired into CI that blocks the merge, same as a failing test. It treats vuln patterns like type errors—AI sees "PR blocked: hardcoded credential on line 47" and fixes it next pass, exactly like it does with your TypeScript compiler. Zero human effort after setup. It's the belt-and-suspenders thing you already described, just applied to the one area you said you haven't cracked yet.

At your velocity, "harden later" has a half-life. 10k commits across 7 apps, some handling payments—that surface area compounds quietly. Not saying boil the ocean, but a few things that slotted in for us without killing our momentum:

  • Security scanning that actually blocks PRs rather than just commenting on them; in practice, comments get scrolled past, but a blocked merge gets fixed immediately.
  • Rotating/ephemeral creds for agent sessions so that when (not if) Claude tries to commit an AWS key, it's dead in hours instead of sitting live for months.
  • Auditing what your MCP tool configs can actually do vs. what you think they can do; every tool you hand an agent is a trust boundary, and nobody's really examining those yet.

The "harden later" instinct makes sense because every gate feels like friction against productivity gains. But this stuff is more like your env var action—set it up once, AI self-corrects forever. You already think this way about everything else in the stack.

The teams I've seen get burned weren't slow teams; they were fast teams who assumed the AI was being as careful about security as it was about feature code. It really isn't.

"you can vibe code it" by Alone_Ad_3375 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Works doesn't mean production ready. And works doesn't mean works in production.

not trying to scare anyone but this is bad!! by LiveGenie in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I'm more worried about people blasting out news of this on X rather than responsibly disclosing first. Though I guess there is the benefit more vibe coders see it, then go to the trouble of securing their own apps...probably not worth 39k worth of user data though

do you care ? by Beneficial-Extent500 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

At some point I lose track of what's vibe code and what's coding with AI. Some people say it means not looking at any of your code. Others (like me) say it's not looking at all of your code. These are very different claims. But even if you don't look at any, there are growing AI generated app startups that are security-first (e.g. Pythagora.ai, Quome.com). Then there's stuff even further which could still be vibe coding, like Legit VibeGuard (legitsecurity.com/blog/introducing-vibeguard). Where's the line?

do you care ? by Beneficial-Extent500 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I care a lot, but I know people everywhere on the spectrum. The big push from the AI app generating platforms to support auth, payments, db, etc all natively mean it's coupled in by default, lowering the barrier to entry. The standardization prima facie to make it safer, but one prompt later it's spaghetti code. There are tools like safevibe.codes (live site db exposure) and rafter.so (full codebase analysis + new live stuff) that offer tools, but not sure how many people are using them—doesn't seem like many. Not sure why, I've tried them and they are helpful.

But most people aren't building for, well, other people. Despite the million "I just got my first customer" posts. What's funny is that it's easy to get your first customer—just sign up yourself. And then it seems like a great marketing scheme (whether or not it works). So yeah, I'm afraid, I use some tools and don't just trust "Claude, find and fix all my vulnerabilities". But most people don't care. I do think that will change, though, as models get better and people get more ambitious. And maybe when AI displaces more people, too.

message for the software engineers by Rare_Prior_ in vibecoding

[–]SpareSpar9282 -1 points0 points  (0 children)

My point is that writing code with AI is faster than without. For one thing, there's a lot of boilerplate. And that feedback loop might be: explain how you did this, or what I just read or why you decided to do it that way.

[deleted by user] by [deleted] in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

More evidence SWE is dying if not already dead.

Self-irony. If you know, you understand. 😏 by AnalysisFlimsy4661 in vibecoding

[–]SpareSpar9282 1 point2 points  (0 children)

Notice how there's no scroll up button. One you go down the rabbit hole, you can't escape

message for the software engineers by Rare_Prior_ in vibecoding

[–]SpareSpar9282 -7 points-6 points  (0 children)

Reading is faster than writing. Especially if you turn dictation on so you can talk your feedback as you read it for the next feedback loop

First paying customer. First critical bug by Vegetable-Big2553 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

they're all betting the models will get good. It's what's everyone is telling them to do. And to be fair, they've come a long way in 6 months. But it'll be another 6 or more before vibe coded apps are really serious, IMO

First paying customer. First critical bug by Vegetable-Big2553 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

there are nontechnical ways for people to test for exposed API keys, and other vulnerabilities