New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
The best security scanner for Replit apps tests the deployed site, not just the code. CheckVibe (from $0) leads for Replit: 100+ checks including the Replit-signature failure modes, plus SEO/AEO scanning no competitor offers. VibeEval, Vibe App Scanner, and Scanbee are strong security-only options.
TL;DR
Replit Agent deploys astonishingly fast on defaults tuned for prototyping: verbose error pages that leak stack traces, permissive CORS, no security headers, and secrets that sometimes reach the client bundle despite being tagged "secret" in the editor. The deployed URL is the source of truth for what actually shipped.
Paste your deployed Replit URL and get 100+ security checks plus 68 SEO and 46 AEO checks in about 30 seconds — no repo access, no setup. For Replit specifically: it detects verbose error responses and leaked secrets in the served bundle — the two signature Replit-deploy issues — plus the standard header, CORS, and injection battery. Findings ship as copy-paste AI fix prompts, and monitoring (uptime, vitals, threats) covers you after launch.
Best for: All-in-one security + visibility, from $0
Autonomous browser-agent security testing of the live app — including behind auth walls and CAPTCHAs (their claim). Security-only. Lists Replit as a supported platform.
Best for: Deep agent-based security testing
One-time security audits of the deployed app: exposed secrets, database access rules (Supabase/Firebase), headers, auth. No free scan tier listed as of June 2026. Lists Replit as a supported platform.
Best for: A cheap one-off pre-launch security audit
Five security scanner types — DAST, SAST, SCA, CSPM (AWS), vulnerability assessment — accepting both URLs and GitHub repos, with a native Supabase integration. Lists Replit as a supported platform.
Best for: Source + live + cloud security in one product
The open-source standard for dynamic web app security testing. Extremely capable, entirely manual: you run it, configure it, and interpret the results. No vibe-coding-specific checks (no Supabase RLS probing, no AI-pattern detection).
Best for: Hands-on testing without a SaaS
Start with the free scan.
100+ security checks, 68 SEO checks, 46 AEO checks — one URL, about 30 seconds.
Run a free CheckVibe scanIf the app has users, data, or payments — yes. AI-generated apps ship with a consistent set of gaps (exposed keys, missing access control, no headers), and every tool on this list catches issues a manual click-through never will. Start with a free scan; the result settles the question.
A free scan is enough to find out where you stand today. Paid tiers buy continuity (scheduled scans, monitoring, alerts) and depth (more pages crawled, more checks). For a side project, free-tier scans before each launch may genuinely suffice.
Server-side, generally yes. The risk is code the Agent writes that passes a secret to the client — embedding it in rendered HTML, a JSON response, or the bundle. That only shows up by inspecting the deployed app, which is what these scanners do.
Yes — they scan any publicly reachable URL, including replit.app subdomains. If your repl is private/not deployed, deploy it first; external scanners test the live deployment.
Pricing and feature claims verified against these pages on June 12, 2026.
