The AI-generated code security checklist
AI ships features fast and risk faster. Run through this checklist before you ship AI-written code, and automate it so it runs on every change, not just when you remember.
1 repo · setup in about 5 minutes · no card, no commitment
01
Secrets and credentials
The single most common AI mistake is exposing a key. Check:
- No API keys, tokens, or passwords hardcoded in source
- No secrets returned from any route, including health and debug endpoints
- Secrets loaded from environment or a vault, not committed files
- No credentials leaked into logs, error messages, or agent rules files
02
Authentication and access control
AI often forgets the check that should gate an action. Check:
- Every sensitive endpoint requires authentication
- Authorization is enforced, not just authentication (the right user, not just a user)
- Admin and internal routes are not reachable without a session
- Access control still holds under real requests, not only in code
03
Dependencies
AI picks libraries no human vetted. Check:
- Every dependency actually exists upstream (no hallucinated packages)
- No typosquatted or slopsquatted package names
- No known-vulnerable or abandoned libraries
- License risk is understood
04
Input handling and tests
Plausible code can still be unsafe and unproven. Check:
- User input is validated before reaching a query, command, or file path
- Tests exercise real behavior, not just assert truthy
- Edge cases and error paths are covered, not only the happy path
05
Runtime
Some risk only appears when the app runs. Check:
- Rate limiting and abuse protection actually fire
- Security headers and CORS are configured
- User journeys behave safely under real conditions
06
Automate the checklist
A checklist you run by hand gets skipped under deadline. Enji Guard runs every item above on a schedule across your repo and the app it powers, ranks what matters, and returns findings as reviewable GitHub issues or pull requests.
Quick questions
Can I run this checklist automatically?
Yes. Connect a GitHub repo and Guard runs the whole checklist on a schedule, so it covers every change instead of relying on someone remembering before a launch. The first audit is free.
Do I need to be technical to use the results?
No. Findings are explained in plain language, what is wrong, who can reach it, and what it costs, so a founder can act and an engineer can verify.
Turn the checklist into an automatic audit.
Connect a repo and Guard runs every item on a schedule. No card.
Enji Guard