22 June 2026
This post is available in Japanese
Workshop: Where to place your vibe coding guard rails
Last week I hosted workshops for two digital agencies to help them figure out their pain threshold for vibe coded apps. In both cases the need arose when their in-house apps inspired clients to deploy similar, and similarly vibe coded, apps externally.
The problems stemmed from "you don't know what you don't know". In this case, a lack of awareness of the risks associated with launching an app externally, as opposed to running it locally. From potentially exposing sensitive information to opening up paths for malicious code injection, the joys of vibe coding quickly became a bit of a nightmare for them.
The workshops had five distinct sections:
1. Vibe coding for us, for them and for yourself
A set of helpful points and questions when considering vibe coding in a professional inhouse, external and personal context. Not rules, but guidance and questions to answer together over time.
2. Get the basics right
Fast is fun. Laying the track upon which fast can happen is better.
3. Evaluate and document learnings daily
It's a sure bet that something new will be discovered, learned or thrust upon an unsuspecting vibe coder every single day.
4. How to structure guidelines that your team want to follow and update
Making the info contextually available, and same with how and where new insights can be added.
5. Encourage and reward vibe coding
The danger was never vibe coding in itself. It's doing it without understanding what could go wrong. Decide what level of risk you are comfortable with, mitigate the rest, and make it possible for more people to dive in to the brilliant thing that is vibe coding.
The second of these points is what I want to highlight here, as it applies to everyone vibe coding in their professional roles and at home for their own use. It is also the point that is entirely within everyone's control to make happen.
What you can do, aka. get the basics right
While these won't guarantee rock-solid security on their own they will at the very least help you start thinking differently (and learning more) about what you put out there.
Pour yourself a cup of coffee/tea and read up on AISVS, The Artificial Intelligence Security Verification Standard. It's not as impenetrable as it sounds. "It gives developers, architects, security engineers, and auditors a structured framework to design, build, test, and verify the security of AI applications throughout their lifecycle [...]."
Use what you already have(-ish):
Claude Code gives you three options:
Use the security review command '/security-review' for on-demand checks in your terminal while you're coding. Alternatively set up GitHub Actions for automatic reviews on pull requests before you start. It certainly kills the immediacy of vibe coding but learn it once benefit endlessly! Or install Claude Code's security-guidance plugin "to have Claude review its own code changes for vulnerabilities and fix them in the same session".
OpenAI's Codex offers Codex Security on their paid ChatGPT plans. I've seen this referred to as "built in" but that's not entirely correct. Codex Security is an application-security agent that works with your connected GitHub repositories through Codex Web. It requires "proper" workflows with version control and other things most vibe coders aren't necessarily interested in. But if I could figure it out so can you!
Mistral sadly doesn't have security issues detection in the same way as the two others. It does have Leanstral, a code agent that checks code against specifications. It's niche, not really useful in a vibe-coding context, but it came up in both workshops so I decided to mention it here.
Ask your tool of choice to code with security in mind, explain any exceptions and find secure alternatives. In Claude Code add this to your CLAUDE.md file, which of course is the way to add persistent project-level guidance.
Hire an engineer for a few hours to review what you created and suggest improvements. If you're vibe coding for a client this should be an absolute given. And even if it's for yourself you'll learn so much by having a pro give you feedback.
Again, these are the bare minimum basics. Like showering and getting dressed in the morning. Use them as your starting point, and think of them as complementary to your other considerations.
If you or your organisation want to benefit from a vibe coding guard rails workshop, let me know at studio@orvet.se or via LinkedIn.
