Notes
Your AI Writes Vulnerable Code by Default. Here's the Fix
When the model writes a vulnerable function and a human catches it in review, you've paid twice: once for the AI to generate insecure code, and again for the AI (or a developer) to fix it. Secure-by-default generation means you pay once, for the code you actually wanted.
Your AI Writes Vulnerable Code by Default. Here's the Fix.
VIBE CODING RISK · 6 min read · #Guardrails #PRReview
45% of AI-generated code ships with at least one vulnerability (Veracode, 2025). Not in test environments. In production. The apps your team is shipping today.
That number has been sitting in security reports for over a year. What's changed is the scale. In 2026, AI generates roughly 46% of all new code on GitHub — and that figure is projected to hit 60% by year-end. The threat surface didn't just widen; it compounded.
The old response was "run SAST." That's still true, and you should. But SAST scans code after it's written. It doesn't change what the model writes in the first place.
The Prompt-to-PR Gap
Here's where vulnerabilities actually enter the codebase: at the prompt.
A developer asks Claude Code, Cursor, or Codex to "add a user search endpoint." The model produces something functional. It doesn't parameterize the SQL query — not because it can't, but because nothing in the prompt asked it to. The code ships. The scan might catch it at PR time. Or it won't.
This is the pattern Veracode documented across 100+ LLMs and 80 coding tasks. 86% of generated samples were vulnerable to XSS (Georgetown CSET, 2025). 88% were vulnerable to log injection. In a December 2025 Tenzai study, every single one of five major AI coding agents introduced SSRF into the same feature type — five out of five.
SAST catches some of this after the fact. The better fix is ensuring the model never writes the insecure version in the first place.
What Guardrails Actually Do
VibeReview works upstream. Before your team writes a line of AI-assisted code, it threat-models the repo: the language, frameworks, cloud surfaces, and data flows. From that model, it generates a guardrail pack — a set of rules mapped to OWASP Top 10 (2025) and specific CWE IDs — and serves those rules into the IDE via an MCP server.
The flow looks like this:
vibereview-kit scan → threat model → guardrail pack → MCP server → IDE context
When a developer prompts Claude Code or Cursor, the guardrails are already in context. The model sees "Parameterize all SQL queries (CWE-89)" as a constraint, not an afterthought. It writes the secure version on the first prompt — not after a PR comment flags an injection risk.
This is what "proactive, not post-hoc" means in practice. Not a philosophy; a different insertion point in the SDLC.
The PR Review Layer
The guardrails handle write-time. VibeReview also reviews PRs — but in a way that's designed to stay out of the way.
It reviews only the diff lines that crossed a rule. If a PR touches 400 lines and 3 of them introduce a hardcoded credential (CWE-798), those 3 lines get a comment. The other 397 don't. No 40-comment storms. No noise that trains teams to ignore the tool.
This matters more than it sounds. GitGuardian's 2026 State of Secrets Sprawl report documented 28.65 million new hardcoded secrets in public GitHub in 2025 — a 34% year-over-year increase. AI-assisted commits expose secrets at 3.2% vs. a 1.5% baseline for human-only code. The PR review layer exists to catch exactly this class of issue before it reaches main.
Where VibeReview Fits (and Doesn't)
Run SAST for periodic, deep audits of your full codebase. Run VibeReview for the prompt-to-PR loop — the continuous, fast cycle where AI generates most of your new code.
They're different layers. Semgrep and SonarQube do broad static analysis on what's already written. VibeReview shapes what gets written, then reviews the delta. Running both is the right answer.
One current caveat worth stating plainly: Copilot doesn't speak MCP yet. For GitHub Copilot users, VibeReview ships as a VS Code extension rather than an MCP integration. Claude Code, Cursor, and Codex use the MCP server directly.
The Token Economics Argument
There's a cost angle that gets overlooked in security conversations.
When the model writes a vulnerable function and a human catches it in review, you've paid twice: once for the AI to generate insecure code, and again for the AI (or a developer) to fix it. Secure-by-default generation means you pay once, for the code you actually wanted.
For teams shipping high volumes of AI-assisted code — and most engineering teams are, whether they've formalized it or not — that multiplies quickly.