Yikes – Security scanner for AI-generated code(yikes-security.vercel.app)
yikes-security.vercel.app
Yikes – Security scanner for AI-generated code
https://yikes-security.vercel.app
3 comments
The problem: AI-generated code often ships with hardcoded secrets, SQL injection vulnerabilities, and weak crypto. Most indie devs and startups don't have time or budget for security audits.
How it works: 1. Paste a GitHub repo URL 2. Yikes clones it, runs Semgrep with custom rules + dependency checks 3. Get results in ~30 seconds
It catches: - Hardcoded API keys, passwords, tokens - SQL injection via string interpolation - XSS patterns - Weak hashing (MD5, SHA1) - Vulnerable npm/pip packages - Common misconfigurations (.env not gitignored, debug mode, etc.)
Supports: JS/TS, Python, Swift, Go, Ruby, PHP, Java, Kotlin, C#
Free tier: 5 scans/day. No signup required.
Would love feedback - especially on false positive rates and what rules to add.
How it works: 1. Paste a GitHub repo URL 2. Yikes clones it, runs Semgrep with custom rules + dependency checks 3. Get results in ~30 seconds
It catches: - Hardcoded API keys, passwords, tokens - SQL injection via string interpolation - XSS patterns - Weak hashing (MD5, SHA1) - Vulnerable npm/pip packages - Common misconfigurations (.env not gitignored, debug mode, etc.)
Supports: JS/TS, Python, Swift, Go, Ruby, PHP, Java, Kotlin, C#
Free tier: 5 scans/day. No signup required.
Would love feedback - especially on false positive rates and what rules to add.
> Get a full manual audit with expert review and priority fixes.
Great.
Manual == human?
Expert == human?
All for $49.99?
Great.
Manual == human?
Expert == human?
All for $49.99?
The tricky part with LLM-generated code is when it's syntactically fine but semantically broken. Stuff like:
- auth logic that checks user.role but also has a `req.query.admin === 'true'` fallback because the model left debug code in
- JWT validation that calls verify() but passes `algorithms: ['none']` or disables signature checking — the code looks right
- async TOCTOU bugs where permission check and action aren't atomic because the LLM wrote it like sync code
None of these match simple patterns. You need dataflow analysis to catch them reliably.
Curious if you're thinking about that for the paid tier, or keeping it pattern-based to stay fast?