Vibe-Coding Without Security Review
Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without explicit security prompts.
Problem
Generated code routinely contains hardcoded API keys, missing input validation, world-readable file modes, unsanitized SQL, secrets in logs, and missing authentication on internal endpoints. Studies cited in the t3n German press piece put the vulnerability rate near 90% without explicit security prompts. 'It worked' becomes the entire QA. Differs from existing agent-generated-code-rce (which is the runtime attack surface); this is the *shipping* anti-pattern.
Solution
Treat coding-tool-generated code as untrusted contribution requiring full review. Run static analysis (Semgrep, CodeQL) on all generated code before commit. Require secrets scanning, SQL-injection scanning, and dependency vetting. Prefer security-aware prompting (provide hardening rules in the prompt) but never substitute it for review. Pair with agent-generated-code-rce awareness.
When to use
- Never. Cite when reviewing scaffolded code shipped without security review.
- Run static analysis and secrets scanning on all generated code before commit.
- Treat scaffolded code as untrusted contribution by default.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.