Show HN: OWASP Scanner for Vibe Coded Apps

2•h_jain•9mo ago

Hey HN,

We just launched an early version of Circuit — a lightweight tool that helps vibe coders, citizen developers, and indie hackers run fast security scans focused on the OWASP Top 10 vulnerabilities and get practical fixes.

The problem we noticed: A lot of projects being built in no-code/low-code environments (Replit, Lovable, V0, Bubble, etc.) ship quickly but rarely get security reviewed. Even small apps often expose APIs, misconfigure auth, or leak secrets without realizing it.

With Circuit, you can: • Submit your app URL • Get a security report checking OWASP Top 10 vulnerabilities • Get suggested fixes for the issues found (not just a scary list)

We’re aiming to make security reviews fast and accessible for solo developers and small teams — without needing to be a security expert.

Right now: • It’s free while we’re in early stages • Feedback reports are emailed manually after scanning • You can see a sample report to know what to expect

Try it here: https://circuit.sh/

Comments

aniagent•9mo ago

Was looking for this exact thing, very interesting project.

alp1n3_eth•9mo ago

What are you using on the backend to actually scan it? Is it just ZAP / Burp Scanner? Or are you scanning the code itself, and just using a Semgrep / Snyk approach?

The landing page being free-tier Framer is a little sketch, the main contact should also probably be a form or an email address instead of a non-US phone number.

Is AI used throughout the entire process or just mainly focused on providing remedation recommendations based on the output of other tooling (scanners, JS analysis, secret scanning, etc.)?

Interesting project! Looking forward to see how it works and evolves.

Software Engineering Transformation 2026

Microsoft purges Win11 printer drivers, devices on borrowed time

Lunch with the FT: Tarek Mansour

Old Mexico and her lost provinces (1883)

'AI' is a dick move, redux

The source code was the moat. But not anymore

Does anyone else feel like their inbox has become their job?

An AI model that can read and diagnose a brain MRI in seconds

Dev with 5 of experience switched to Rails, what should I be careful about?

AlphaFace: High Fidelity and Real-Time Face Swapper Robust to Facial Pose

Scientists discover “levitating” time crystals that you can hold in your hand

Rammstein – Deutschland (C64 Cover, Real SID, 8-bit – 2019) [video]

Tell HN: Yet Another Round of Zendesk Spam

Postgres Message Queue (PGMQ)

Show HN: Django-rclone: Database and media backups for Django, powered by rclone

NY lawmakers proposed statewide data center moratorium

OpenClaw AI chatbots are running amok – these scientists are listening in

Show HN: AI agent forgets user preferences every session. This fixes it

Introduce the Vouch/Denouncement Contribution Model

Show HN: SSHcode – Always-On Claude Code/OpenCode over Tailscale and Hetzner

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

DevXT – Building the Future with AI That Acts

A Minimal OpenClaw Built with the OpenCode SDK

The silent death of Good Code

The Internal Negotiation You Have When Your Heart Rate Gets Uncomfortable

Show HN: Glance – Fast CSV inspection for the terminal (SIMD-accelerated)

Busy for the Next Fifty to Sixty Bud

Imperative