Q.01Field report
“Scanned my Cursor-built SaaS and found 14 critical issues the free tools missed. Deep Smart Scan patches were copy-paste ready — shipped the fixes same day.”
M
Marcus R.
@indie_hacker
// LOADING
32 industrial scanners do the detection pass · then an AI noise filter maps your repo and drops the false positives, so you read real findings — not 600 lint hits. Built for Cursor, Bolt & Lovable projects. Results in minutes · pay only for the MB we read · $0.75/MB.
Same tooling indie hackers, studios, and SaaS founders trust. One stack. Thirty-two scanners across 19 languages, plus an AI noise filter.
Every scan exports as PDF, SARIF, and JSON — hand it to a teammate, feed your SIEM, or gate CI/CD on the A–F grade.
Full coverage of injection, broken auth, SSRF, crypto failures and more.
Every finding mapped to a CWE identifier for ticketing and risk registers.
Aligns with Secure Software Development Framework practices PW.4-PW.8.
Sign in with GitHub or Google in one click — vibe coders, indie hackers, studios, SaaS teams all use the same flow. Your OAuth token grants scoped, read-only access to private repos · we never store credentials in plaintext. Enterprise SSO (SAML) available on request for studios > 10 seats.
OAUTH_SSOPaste a Git URL (GitHub / GitLab / Bitbucket) or push a compressed archive up to 2 GB via presigned R2 upload. Source is cloned into an ephemeral sandbox and shredded within 10 minutes of scan completion.
ISOLATED_SANDBOX32 scanners run in parallel across 19 languages (Semgrep, Trivy, Slither for Solidity, Brakeman for Rails, Detekt for Kotlin, +27). Then an AI layer builds a code map of your repo — security-critical vs. supporting vs. test/fixture files — and re-reads every scanner finding against it to drop the false positives. You read real findings, not scanner noise. Pay-per-MB · $0.75/MB · 1 MB minimum · price quoted before you commit.
PARALLEL_AUDITA–F grade, severity × CWE breakdown, every finding mapped to OWASP Top 10. PDF report · SARIF export for your SIEM · REST API for CI/CD gating. Findings are cross-validated across scanners and prioritized by the AI code map — you fix what matters first.
PDF · SARIF · API“Scanned my Cursor-built SaaS and found 14 critical issues the free tools missed. Deep Smart Scan patches were copy-paste ready — shipped the fixes same day.”
“Smart Scan runs on every client delivery now. Three hardcoded API keys in the last handoff — VibeGuardian caught them all before we shipped.”
“Our junior devs use Bolt and Lovable daily. Basic Free Scan on every PR + Deep Smart Scan before releases is the safety net that lets me sleep at night.”
“The Opus critique pass found a SQL injection pattern Semgrep alone missed. Plain-English explanation + diff-ready patch — exactly what I needed for a client audit.”
One human pass on a noisy scanner output burns a senior engineer for half a day. Our AI noise filter does the same triage in minutes — you pay only for the MB of code we actually read.
Semgrep + Trivy + 9 others · noise included
Senior AppSec pass · classify / dismiss / ticket
Fully-loaded US senior engineer
AI code map + false-positive filter · scanner noise dropped
End-to-end · 32 scanners + AI noise filter
1 MB minimum · one flat rate · pay only for the MB we read
Solo dev shipping a Cursor app : top up $20 and that covers ~26 MB of scanning — several passes on a typical MVP. Studio handing off 40 PRs a week : a $250 wallet becomes $290 with the volume bonus. Either way, you pay only for the MB we read · no subscription · no seat math.
No. Every scan runs inside an isolated ephemeral sandbox we control. The AI layer only ever receives the specific file slices its prompts require — never your full repository — and your source is shredded from our infrastructure within 10 minutes of scan completion. We retain only finding metadata (file paths, line numbers, severity, CWE) for your report, never the code itself.
Those products are signature-based scanners — they match patterns against a rules database. We run thirty-two of them underneath ours across 19 languages (Semgrep itself is one). Our differentiator is the AI layer on top: it builds a code map of your repo, then re-reads every scanner finding against it and drops the false positives — the i18n-string-that-looks-like-a-secret, the SQL pattern that only lives in a test fixture. Most scanners hand you hundreds of findings at a 90%+ false-positive rate; we hand you the ones a human reviewer would have kept, prioritized by where they actually matter. One scan, one rate — $0.75/MB, no tiers to choose.
We collapsed them into one. The old Level 0–3 tiers made you guess how much AI rigor you needed and priced anywhere from $1.50 to $6.00/MB. The single VibeGuardian Scan is simpler and cheaper: 32 industrial scanners plus an AI noise filter, one flat $0.75/MB, on every scan. You get an A–F grade, every finding mapped to CWE + OWASP Top 10, and PDF / SARIF / JSON exports you can hand to a teammate or feed into CI. If your auditor needs a specific report format, email us — we iterate within the week.
Most scans complete in minutes — the AI passes are lightweight by design. We don't publish a hard latency SLA on the self-serve plan, since scan time scales with repo size. Platform availability target is 99.9% measured monthly. Need a contractual SLA, a dedicated queue, or a private deployment? Email founders@vibeguardian.dev — we quote a custom contract within 48h. (No formal Enterprise tier on the pricing page · we keep things lean · custom contracts negotiated 1-on-1.)
Yes. The REST API accepts an arbitrary Git clone URL with an access token, so any self-hosted GitHub Enterprise, GitLab EE, Bitbucket Data Center, or Azure DevOps repo works the same way as the cloud versions. For air-gapped or dedicated-tenancy requirements, contact us about a private deployment.
Two layers. First, a finding that shows up independently across multiple scanners is flagged `crossValidated: true` and boosted in confidence. Second, the AI filter re-reads every finding against a code map of your repo and drops the ones sitting in test fixtures, generated code, and other low-risk locations. Every row in your report exposes its `confidence` and `crossValidated` fields and traces back to the named scanner that produced it — so your team can audit the math on your own scans from day one.