Good Vibes, Bad Code? Vibe Coding and How to Secure It with Hopper

AI Is Writing Your Code. Is Your Security Stack Ready?

Welcome to the era of vibe coding. If open source shaped the last generation of software, AI-generated code is reshaping the next. Tools like GitHub Copilot, ChatGPT, and Cursor are accelerating development by suggesting entire blocks of code, much of it sourced from public OSS repositories. It’s fast, fluid, and productive. But it’s also opaque and risky.

The Rise of Vibe Coding

The term vibe coding was coined by Andrej Karpathy, former Tesla AI director and founding member of OpenAI. In a February 2025 tweet, Karpathy described a new coding paradigm where “you no longer write code line by line… you vibe with it.”

This shift is already happening:

• The 2024 DORA Report shows that 76% of developers use AI coding assistants regularly.
• Google and Microsoft estimate that 30% of their code is AI-generated
• By 2030, Microsoft expects 95% of all code to be AI-generated

Developers are now shipping AI-suggested code with minimal oversight. But speed without oversight introduces new kinds of risk.

AI-Suggested Code Still Comes with OSS Risk

AI assistants rarely invent code from scratch. Instead, they remix and suggest existing code patterns, often pulled from popular open-source projects. This creates two problems for AppSec teams:

1. Unknown provenance: It’s unclear where the code came from or what dependencies it includes.
2. Expanded surface area: Suggested code often pulls in new libraries behind the scenes, some of which may be outdated, vulnerable, or non-compliant.

In short, AI is making OSS usage more implicit and harder to track. That doesn't reduce open-source risk,  it multiplies it.

The Problem: AI-Generated Code is Outpacing Security

AI assistants are excellent at reusing open source code. But they typically don’t expose where that code originated, what it depends on, or whether it’s safe. This introduces blind spots and accelerates exposure.

This shift brings a familiar set of software supply chain risks, but at a dramatically increased pace and scale:

• Unpatched or end-of-life OSS packages
• Deep transitive vulnerabilities
• Non-compliant licenses
• Shadow dependencies (such as renamed or obscured libraries)
• Malicious packages
• Exploitable CVEs hidden in generated snippets
• Lack of visibility into AI or LLM usage
• Malicious and vulnerable AI models

To be clear, these risks are not new. Developers have long copied code from StackOverflow or added dependencies manually. What has changed is the speed and volume. AI-generated code introduces entire libraries and dependency trees with a single suggestion, often without any visibility or oversight.

Traditional SCA tools were built for slower, human-paced workflows. They assume developers explicitly add and review dependencies. Vibe coding bypasses those expectations. Code is suggested and accepted in seconds, and with it comes an expanding attack surface. Security teams are left overwhelmed by alerts and unclear on what actually needs attention.

The Shift Security Needs to Make

The way code is written has fundamentally changed. Developers are no longer manually choosing every library or reviewing each dependency. Instead, they are working alongside AI assistants that suggest and generate code, often including open-source components, without review, provenance, or clear visibility.

This shift from human-curated development to AI-accelerated generation breaks the assumptions that most security tooling is built on. Older models relied on centralized control, predictable workflows, and slow release cycles. That world is gone. Code now enters the stack quickly and quietly, with risk embedded by default.

Security teams can no longer afford to react after the fact. To keep up, they need precision, visibility, and automation that operates at the same speed as AI-generated development.

Hopper Helps You Regain Control in a Vibe-Driven, OSS-Powered World

In the vibe coding era, developers aren’t selecting open-source packages — they’re inheriting them through AI suggestions. These code paths often bypass traditional processes. Security tools must adapt, not by generating more alerts, but by understanding what’s actually being built and deployed.

Hopper brings visibility and control back to security teams by addressing the realities of modern development:

Function-Level Reachability

Most SCA tools stop at the package level. They flag vulnerabilities based solely on whether a dependency exists in your codebase. Hopper analyzes vulnerabilities and code paths down to the function level, so you can see exactly which vulnerabilities are reachable and exploitable in context. That precision helps teams reduce noise and prioritize what matters.

Automatic Asset Discovery

In AI-assisted workflows, developers spin up new components, services, or repos without following traditional onboarding or registration processes. Hopper continuously monitors your Git environment to identify and track new assets as soon as they appear. This ensures that AI-generated code (and the open-source dependencies it includes) never slip through the cracks.

Agentless, Read-Only Integration

Many AppSec tools were built assuming deliberate, centralized control over the SDLC. But AI-driven development moves faster and is less predictable. Hopper connects to your Git provider with read-only access, giving you instant visibility without needing to configure pipelines, deploy agents, or involve DevOps.

Context Developers Can Act On

Vibe coding favors speed and flow, but that can leave engineers with little context about where a dependency came from or why it's risky. A long list of CVEs is not helpful. Hopper provides contextual, evidence-based insights, showing which functions are vulnerable, if, where and how they’re called, and what the impact would be. This builds trust and shortens remediation cycles.

The Bottom Line

AI isn’t the enemy of secure software, but it is rewriting how software gets built. With code now flowing into production faster, more frequently, and with less human oversight, the traditional ways of managing open-source risk no longer hold up.

Vibe coding has shifted the burden onto security teams to keep pace with invisible decisions made by AI assistants. That means you need more than just detection. You need to know what’s real, what’s reachable, and what’s worth fixing.

Hopper gives you that clarity. By analyzing vulnerabilities at the function level, automatically discovering new assets, and eliminating noise from false positives, it helps teams secure AI-generated code without slowing innovation.

Don’t just scan code. Understand it. Secure it. With Hopper.