A 7-step security audit for AI-generated code using grep
Security firm Inithouse claims the same seven vulnerabilities appear in most AI-generated apps. Their playbook uses simple command-line checks to find them in minutes, before they become breaches.…
Security firm Inithouse claims the same seven vulnerabilities appear in most AI-generated apps. Their playbook uses simple command-line checks to find them in minutes, before they become breaches.
Security audit firm Inithouse reports that after scanning hundreds of AI-generated applications, the same seven vulnerabilities appear consistently. The firm, which runs the tool Audit Vibe Coding, finds that AI code generators frequently omit basic security measures like authentication and proper secret management. The result is a class of vulnerabilities that are trivial to exploit but also simple to find.
The following playbook is derived from Inithouse's findings. It provides specific grep commands that founders can run to perform a high-level security check on their own codebases. Each check is designed to be a fast, first-pass diagnostic, not a comprehensive security audit.
Hardcoded secrets in source code
AI code generators often use placeholder API keys and credentials. Developers replace these with real keys during development but may forget to move them to environment variables before committing. Inithouse claims to have found live Stripe, Supabase, and OpenAI keys in public-facing JavaScript files.
This check searches common application directories for patterns matching API keys, passwords, and service role tokens. Any result that is not a reference to an environment variable (e.g., process.env.STRIPE_KEY) represents a critical vulnerability.
grep -rnI \
"sk-\|sk_live\|sk_test\|api_key\s*=\|apiKey\s*[:=]\
|secret_key\|SUPABASE_SERVICE_ROLE\|password\s*[:=]\s*['\"]" \
src/ lib/ app/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx"
API routes without authentication
Generative AI tools excel at creating CRUD endpoints but often fail to add the necessary authentication middleware. This can expose sensitive API routes, allowing unauthorized users to read, create, update, or delete data. The vulnerability is most common in frameworks like Next.js and Supabase Edge Functions where route handlers can be created without explicit auth checks.
The following commands list files in common API directories that lack references to typical authentication libraries or functions. Files listed in the output should be manually reviewed to confirm they either handle public data or have auth checks implemented in a non-standard way.
# Next.js API routes without auth
grep -rL "getServerSession\|getToken\|auth(\|middleware\|supabase.*auth" \
app/api/ pages/api/ 2>/dev/null
# Supabase Edge Functions without JWT verification
grep -rL "Authorization\|jwt\|verify" \
supabase/functions/ 2>/dev/null
SQL injection via string interpolation
While most modern ORMs prevent SQL injection by default, AI can be prompted to write raw SQL queries for performance or complex joins. If these queries use string interpolation to include user input ('SELECT * FROM users WHERE id = ' + userId), they become vulnerable to injection attacks.
This check is less precise than the others. It looks for common raw SQL query patterns concatenated with variables. Every result requires manual inspection to determine if the variable is user-controlled and if the query is sanitized. This is a search for likely hotspots, not a definitive list of vulnerabilities.
WHAT WE'D CHANGE
This playbook is a valuable starting point for technical founders, but it is not a substitute for a formal security audit. The grep commands are a blunt instrument. They can find obvious mistakes but will miss credentials that are intentionally obfuscated or split across multiple lines. A determined attacker uses more sophisticated tools.
The checklist also focuses exclusively on vulnerabilities in the application code itself. It completely ignores supply chain vulnerabilities within third-party dependencies. Running npm audit or using a tool like Snyk is a necessary and complementary step for any modern web application. The most secure proprietary code can be compromised by a vulnerable package.
Finally, the five-minute framing applies only to finding the problem. A missing authentication check on a core API route is not a five-minute fix. It could require a significant refactor of data access patterns. This audit finds the fire; it does not put it out.
LANDING
The speed of AI-assisted development creates pressure to ship faster than ever. This checklist provides a crucial brake-check, translating abstract security principles into concrete commands a solo founder can run before each deployment. While not exhaustive, it addresses the specific blind spots of current-generation AI coding tools. Running these checks moves security from a theoretical concern to a verifiable, pre-flight routine.
The investor read
The proliferation of AI-generated code creates a new market for validation and security tools. Inithouse's Audit Vibe Coding is a direct response to this demand, representing a 'picks and shovels' play on the AI development trend. For investors evaluating early-stage, AI-heavy startups, the presence of these basic vulnerabilities during due diligence is a major red flag. It signals a lack of engineering discipline and an inflated risk profile. Products in this space are likely bootstrapped or funded by specialist developer-tool VCs. A company's ability to demonstrate automated, verifiable security checks like these is becoming table stakes for technical diligence.
Every claim ties to a primary source. See our methodology.