Vouch-secure

Vouch is a security scanner built specifically for AI-generated code. AI coding tools like Cursor, Claude Code, GitHub Copilot, Windsurf, and v0 let developers ship apps in hours instead of weeks. The problem: they also let developers ship security bugs they do not understand. SQL injections, missing authentication, leaked API keys, prompt injection on LLM endpoints. The kind of bugs experienced engineers spot instinctively and AI tools do not. Vouch fixes that. Install the GitHub App, point it at a repo, and every push runs a curated security scan focused on the bug patterns that actually cause real-world leaks. You get a Security Score from 0 to 100, three concrete to-dos in plain language, and one-click fix PRs that you review and merge. Built on a transparent stack: Semgrep with a hand-curated ruleset for AI-coded apps, Gemini re-ranks findings through a graph-RAG over real CVE patterns and OWASP guidance (so the LLM is grounded instead of hallucinating), gitleaks for secret detection, and a deterministic scoring layer that weighs findings by exploitability. The study behind the product: I scanned 50 real Cursor-built GitHub repos with Vouch before launch. The results: - Average security score: 34 out of 100 - 88 percent had at least one HIGH-severity vulnerability - 52 percent had at least one CRITICAL finding - 36 percent committed secrets or API keys in source - 32 percent scored exactly 0 out of 100 - The single most common finding across all 50 repos was SQL injection via sqlalchemy.text(). Next two were path traversal via unsanitized path.join inputs (23 instances) and XXE through the Python xml library on untrusted input (23 instances). The pattern: AI tools default to raw-string concatenation whenever the idiomatic ORM or parser API is awkward. That shortcut is exactly where the leaks come from. Who Vouch is for: - Indie hackers and solo founders shipping with AI coding tools - Small teams without a dedicated security engineer - Anyone whose codebase is 50 percent or more AI-generated - Developers tired of getting a thousand Semgrep findings and ignoring them all Who Vouch is NOT for: Enterprise security teams who already run Snyk, SonarQube, or GitHub Advanced Security. Vouch is intentionally narrower and faster, not deeper. Free for personal repos. Paid tier exists for teams and high-volume repos but is currently in test mode with no card required. Setup takes about five minutes: install the GitHub App, pick a repo, get your first score. Built by Jonathan Demir, business informatics student at TUM Munich, since March 2026. Try it free at https://vouch-secure.com or read the full study at https://vouch-secure.com/study.html