Security ArticlesHome
·6 minChecklistSmall BusinessAI Code

7 Security Checks to Run Before Deploying AI-Generated Code

7 security holes commonly missed in apps built fast with vibe coding / AI code generation, and how to check them in 5 minutes before you deploy.


AI coding tools can turn an idea into a shipped service in a day. But speed comes at a cost: security isn't safe by default. This is especially true if you're a solo developer, or have no developer on the team at all. Checking these 7 things before you deploy blocks most common incidents.

1. Hardcoded keys and passwords

Check that API keys, database passwords, and tokens aren't baked directly into the code. AI is good at producing code that "just works," but it often writes keys straight into the source. Once that code hits a public repository, automated bots harvest the key within minutes.

  • Move keys into environment variables (.env), and always add .env to .gitignore
  • If you've already committed one, revoke and reissue it — even if you scrub it from history, treat it as already exposed

2. Secrets exposed to the client

Anything that ends up in code that runs in the browser (the frontend) can be seen by anyone. Never put admin-only keys in the frontend. Check that env vars with a NEXT_PUBLIC_-style prefix don't carry sensitive values.

3. Data access authorization

You're logged in — but can you see someone else's data? A problem where changing the id in a URL reveals another user's information (IDOR) is extremely common in AI-generated code. Always test that "only my own data is visible."

4. Database row-level security (RLS)

If you're using a BaaS (no-code/backend-as-a-service), check that access rules are turned on for every table. Sometimes the default is "fully public." It's worth directly verifying whether an anonymous user can read an entire table.

5. Vulnerable libraries

Open-source packages your project depends on may include versions with known vulnerabilities (CVEs). Upgrading to the latest safe version alone removes a lot of risk.

6. Trusting user input

Feeding user input directly into a database query or a system command exposes you to injection attacks. Make "always distrust user input" your default rule.

7. Keep checking after you deploy

Being safe once isn't the end. Every code change can open a new hole. Wiring a check into your pipeline so it runs automatically on every push leaves a safety net even when a human forgets.


You can check all seven without tooling, but reviewing hundreds of files by hand doesn't scale. Connect a GitHub repository to WhiteHat Code and it scans for all of the above automatically, pointing out exactly where the problem is and how to fix it. The automated scan is free.

Prepare with AI against AI-driven attacks.

Scan

Security Articles