The AI-generated code security checklist

AI ships features fast and risk faster. Run through this checklist before you ship AI-written code, and automate it so it runs on every change, not just when you remember.

1 repo · setup in about 5 minutes · no card, no commitment

01

Secrets and credentials

The single most common AI mistake is exposing a key. Check:

  • No API keys, tokens, or passwords hardcoded in source
  • No secrets returned from any route, including health and debug endpoints
  • Secrets loaded from environment or a vault, not committed files
  • No credentials leaked into logs, error messages, or agent rules files

02

Authentication and access control

AI often forgets the check that should gate an action. Check:

  • Every sensitive endpoint requires authentication
  • Authorization is enforced, not just authentication (the right user, not just a user)
  • Admin and internal routes are not reachable without a session
  • Access control still holds under real requests, not only in code

03

Dependencies

AI picks libraries no human vetted. Check:

  • Every dependency actually exists upstream (no hallucinated packages)
  • No typosquatted or slopsquatted package names
  • No known-vulnerable or abandoned libraries
  • License risk is understood

04

Input handling and tests

Plausible code can still be unsafe and unproven. Check:

  • User input is validated before reaching a query, command, or file path
  • Tests exercise real behavior, not just assert truthy
  • Edge cases and error paths are covered, not only the happy path

05

Runtime

Some risk only appears when the app runs. Check:

  • Rate limiting and abuse protection actually fire
  • Security headers and CORS are configured
  • User journeys behave safely under real conditions

06

Automate the checklist

A checklist you run by hand gets skipped under deadline. Enji Guard runs every item above on a schedule across your repo and the app it powers, ranks what matters, and returns findings as reviewable GitHub issues or pull requests.

Quick questions

Can I run this checklist automatically?

Yes. Connect a GitHub repo and Guard runs the whole checklist on a schedule, so it covers every change instead of relying on someone remembering before a launch. The first audit is free.

Do I need to be technical to use the results?

No. Findings are explained in plain language, what is wrong, who can reach it, and what it costs, so a founder can act and an engineer can verify.

Turn the checklist into an automatic audit.

Connect a repo and Guard runs every item on a schedule. No card.