New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
The best security scanner for Cursor apps tests the deployed site, not just the code. CheckVibe (from $0) leads for Cursor: 100+ checks including the Cursor-signature failure modes, plus SEO/AEO scanning no competitor offers. VibeEval, Vibe App Scanner, and Scanbee are strong security-only options.
TL;DR
Apps shipped from Cursor (and Claude Code) carry prompt-shaped security: if the prompt didn't mention CSRF, rate limits, or parameterized queries, the code probably doesn't have them. The recurring finds are committed secrets, SQL string interpolation, permissive CORS copied from training data, and verbose error handling. Because Cursor projects can be any framework, the scanner needs to test the deployed result, not assume a stack.
Paste your deployed Cursor-built URL and get 100+ security checks plus 68 SEO and 46 AEO checks in about 30 seconds — no repo access, no setup. For Cursor workflows specifically: findings are emitted as paste-ready fix prompts tuned for Cursor and Claude Code, and the MCP server lets you trigger scans and read results without leaving the editor. Findings ship as copy-paste AI fix prompts, and monitoring (uptime, vitals, threats) covers you after launch.
Best for: All-in-one security + visibility, from $0
Autonomous browser-agent security testing of the live app — including behind auth walls and CAPTCHAs (their claim). Security-only. Lists Cursor as a supported platform.
Best for: Deep agent-based security testing
One-time security audits of the deployed app: exposed secrets, database access rules (Supabase/Firebase), headers, auth. No free scan tier listed as of June 2026. Lists Cursor as a supported platform.
Best for: A cheap one-off pre-launch security audit
Five security scanner types — DAST, SAST, SCA, CSPM (AWS), vulnerability assessment — accepting both URLs and GitHub repos, with a native Supabase integration. Lists Cursor and Claude Code as supported platforms; adds SAST against the repo.
Best for: Source + live + cloud security in one product
The open-source standard for dynamic web app security testing. Extremely capable, entirely manual: you run it, configure it, and interpret the results. No vibe-coding-specific checks (no Supabase RLS probing, no AI-pattern detection).
Best for: Hands-on testing without a SaaS
Start with the free scan.
100+ security checks, 68 SEO checks, 46 AEO checks — one URL, about 30 seconds.
Run a free CheckVibe scanIf the app has users, data, or payments — yes. AI-generated apps ship with a consistent set of gaps (exposed keys, missing access control, no headers), and every tool on this list catches issues a manual click-through never will. Start with a free scan; the result settles the question.
A free scan is enough to find out where you stand today. Paid tiers buy continuity (scheduled scans, monitoring, alerts) and depth (more pages crawled, more checks). For a side project, free-tier scans before each launch may genuinely suffice.
After every shipping session, yes — AI editors can reintroduce a vulnerability in any edit (a logged secret, an interpolated query). The MCP integration makes this nearly free: ask your editor to run a scan when you finish.
Asking Cursor or Claude Code to security-review a diff genuinely helps, but it sees code, not the deployed reality — live headers, TLS, DNS, actual RLS enforcement, what's really in the served bundle. External scanning verifies the thing users and attackers actually touch.
Pricing and feature claims verified against these pages on June 12, 2026.
