← Blog · April 9, 2026

Secure review of AI-generated code

Models optimize for plausible-looking code, not your threat model. Security review therefore needs explicit prompts—for humans. Use this layered approach alongside Vibe Kanban’s code review UI so nothing merges without a diff-backed decision.

Layer 1: obvious foot-guns

• Hard-coded API keys, tokens, or private URLs.
• Disabled TLS verification or “temporary” curl | bash patterns.
• Overly broad CORS, eval, or dynamic code paths.

Layer 2: application security

• Injection risks in SQL, shell, and template paths.
• Authorization checks on new endpoints or background jobs.
• File uploads and path traversal in new handlers.

Layer 3: supply chain

New dependencies should justify their footprint. Pin versions where your policy requires it, and run existing SCA tools in CI—agents will not replace those gates.

For a general merge checklist, see AI code review checklist. For org-wide rollout, pair with team AI coding playbook.