I Scanned 42 Public SaaS Startup Repos. 83% Had AWS Key Patterns.
Most of them aren't real keys — but the noise itself is the story. What 42 well-known OSS SaaS repos taught me about how AKIA patterns spread through codebases, and why even an AI-filtered scanner still produces 1,355 findings to triage.
We Ran Semgrep Against Our Benchmark. It Missed Half the Bugs.
A head-to-head comparison on a public labeled corpus of AI-generated code. XploitScan scored 100% F1. Semgrep's community rules scored 62.5%. The gap is almost entirely about template-literal SQL injection.
The CORS Misconfiguration Cursor Generates That Exposes Your API
AI coding assistants produce a CORS configuration that reflects every origin with credentials. Any website the victim visits can silently read their authenticated API responses.
Why Traditional SAST Tools Fail on AI-Generated Code
Semgrep, SonarQube, Snyk, and Checkmarx were built for hand-written enterprise code. Here's why they miss the bugs Cursor, Bolt, and Lovable produce — and what to use instead.
The $10,000 Stripe Webhook Bug Hiding in AI-Generated Code
A walkthrough of the Stripe webhook vulnerability that Cursor, Bolt, and Lovable ship by default — and the 4 lines of code that fix it.
I Scanned a Typical AI-Generated SaaS App. It Had 53 Security Vulnerabilities.
Hardcoded secrets, SQL injection, unprotected Stripe webhooks — here's what AI coding tools get wrong about security, with real scan data.
Why AI-Generated Code Is Insecure (And What You Can Do About It)
45% of AI-generated code contains security vulnerabilities. Learn what AI coding tools get wrong and how to protect your app before you ship.