You shipped your MVP in three weeks using Cursor. Or Copilot. Or Claude Code. The app works, users are signing up, and you’re feeling good.

But here’s the question nobody’s asking: is the code actually good?

Not “does it work” — it clearly does. But is it secure? Is it maintainable? Will it survive the next six months of feature development without collapsing under its own weight?

We ran a vibe coding code review on a real production app to find out. It scored 68 out of 100. Then we fed the findings back to AI and watched the score climb.

The experiment

A solo founder built a full-stack SaaS application using AI coding tools. About 20,000 lines of TypeScript, Next.js, Supabase, with a mobile app via Capacitor. Three and a half months from first commit to production, 379 commits, real paying users.

From the outside, it looked great. Polished UI, solid feature set, proper authentication, offline support, PDF generation, push notifications. The kind of app that makes you think vibe coding actually works.

We ran StackGrit’s AI code analysis on it. Overall score: 68 out of 100 — a D+.

What the AI found that the builder missed

Security vulnerabilities in production

The PDF generation library had two known CVEs, one critical, one high severity. They could allow malicious content injection into documents shared with clients. The fix was a one-line version bump from 4.2.0 to 4.2.1, already available. The builder had no idea.

The web framework had three additional unpatched security issues. The Content Security Policy was effectively disabled with unsafe-inline and unsafe-eval, removing a key defense layer. All API routes were exposed under a wildcard CORS policy (Access-Control-Allow-Origin: *), far broader than needed.

None of these would show up during normal development. The app worked perfectly. The vulnerabilities were invisible until someone looked.

Critical paths with zero tests

The two most important user workflows, the ones that generate revenue and handle client data, had no unit or integration tests. A 450-line function handling the core business workflow was completely untested.

The irony: the codebase had a decent test suite (51 test files) with good coverage of the calculation engine and offline sync layer. But the most-changed, most-critical code had the least test coverage. AI-generated tests covered the easy parts and skipped the hard ones.

890-line mega-components

The main page component was a single React function spanning 890 lines. 20+ state variables, 10 useEffect hooks, and the full JSX tree all crammed into one function. Two other pages exceeded 600 lines each.

These components work fine today but become unmaintainable in three months. Every new feature makes them bigger. Every bug fix risks breaking something else. AI coding tools tend to produce these because they optimize for “make it work” not “make it maintainable.”

Type safety shortcuts everywhere

TypeScript strict mode was on — good. But 172 any type assertions across 52 files effectively disabled the safety net TypeScript is supposed to provide. AI coding tools use any as an escape hatch when types get complex, trading compile-time safety for “it works now.” The shortcuts were concentrated in exactly the areas where data shapes are most complex and bugs are hardest to catch.

A licensing time bomb

One of the animation libraries was used under a free license that prohibits commercial SaaS use. A potential intellectual property violation that would only surface when the product scales — exactly the worst time to discover it.

The fix: feed the report back to Claude

This is where it gets good. The builder took the StackGrit report and fed the findings straight back into Claude. Fix the security vulnerabilities. Add tests for the untested paths. Break up the mega-components. Remove the any types.

Score after the first round of fixes: 76 out of 100 — an 8-point jump from D+ to C+.

Area	Before	After	Change
Architecture	78	78	—
Test Coverage	62	75	+13
Code Quality	65	73	+8
Security	60	75	+15
Technologies	65	72	+7
Data Model	74	82	+8
Team	80	82	+2

Security improved by 15 points. Test coverage by 13. And this was just the first iteration — the builder plans to keep running analyses and improving incrementally.

This isn’t an indictment of vibe coding

The app was impressive. A solo founder shipped a full production SaaS with mobile apps, offline support, and payment processing in under four months. That’s remarkable by any standard.

But the data on AI-generated code quality tells a clear story:

AI-authored code has 1.7x more major issues than human-written code (CodeRabbit, 2025)
45% of AI-generated code introduces security vulnerabilities (Veracode)
Developers report being 19% slower with AI despite believing they’re 20% faster (METR study)

The problem isn’t that AI writes bad code. It’s that AI writes code that looks right and works right — until you look deeper. The architecture is often shallow, the tests cover the easy cases, the types are loosened to make things compile, and the dependencies aren’t audited.

That’s why a vibe code audit matters — not to replace AI, but to catch what it misses.

Vibe coding is a legitimate way to build software. But it needs a quality check. Same way a building inspector checks a house even when the contractor says it’s finished.

What to do if you’ve vibe-coded your MVP

Run a code health check now, not later. The longer you wait, the more code gets built on top of shaky foundations. Problems compound.
Focus on security first. Dependency vulnerabilities and misconfigurations are the highest-risk, lowest-effort fixes. Most are one-line version bumps.
Add tests to your critical paths. Not everything — just the flows where bugs cost you money or users.
Break up large components. If any file exceeds 500 lines, it’s a maintenance risk. AI tools will happily refactor these for you — you just need to ask.
Use the findings to improve iteratively. The builder went from 68 to 76 in one round. The next round will push higher. The goal isn’t perfection — it’s visibility into where you stand.

Built your app with AI? Find out what’s hiding in the code before your users do. First report is free, no credit card.

Check your vibe-coded project →