App / Code Auditing For Repls (Apps)

Hello folks

I’ve been building a handful of projects for a while now, and I’ve finally reached the stage where I need actual code audits.

I use the security scanner and it does help. It catches little things like minor injection issues, the occasional DOM quirk, and the chaos I create when I pull pieces of code out to test loops. It also does a nice job reminding me when packages need updating.

But AI is not a real code auditor. Not right now. Not consistently. Maybe eventually, if someone manages to perfect an audit service around it. At this moment it is not reliable enough to trust with something as serious as reviewing an entire codebase. And the professional audits that big companies can afford are not realistic or accessible for most of us vibecoding on Replit.

And speaking of vibecoding, the whole environment feels a lot like 1970s Woodstock.

Everyone is sharing everything

Everyone is experimenting

Everyone is relaxed

And nobody seems too worried about safety or guardrails. Production code is being treated like a communal drum circle, and I am not innocent either. That really does seem to be the shared vibe right now.

I love collaboration and open development. It is exciting and motivating to work that way. But ignoring security is how people “peace and love” themselves straight into a breach.

It is how vulnerabilities slip through unnoticed or how features get misused in ways we did not expect. And the risk increases when your applications rely on real paid APIs.

For example, one of my apps uses the OpenAI API as a fallback. Not the chat interface. The actual platform that charges per request. Just like Replit, it requires you to keep an active payment method on file.

Now imagine someone malicious finds a weakness and suddenly you are the one paying for their endless joyride through your API calls. A real human audit might have spotted the issue before it turned into a problem.

Most of what we build on Replit ends up being real applications. Some are full stack. Some are full PWAs running entirely in the browser. With that comes tunnel vision. Anyone who has stared at their own code for too long knows exactly what I mean. After a while you feel like you are floating somewhere outside your own body. It is the programming equivalent of the old conspiracy theories about government grade LSD. I am joking, mostly. No I’m not/

And when you are a one person team jumping between several languages, especially ones you are still learning, blind spots are not optional. They are guaranteed.

Questions:

Where do you all go for real, trustworthy, human code audits?

(If you have worked with anyone or any service that genuinely helped, I would love to hear about it.)

And if nobody here has found a reliable option, maybe it is time for this community to build something together. We could create a small audit group similar to our own USAA, except instead of insurance we help review and protect each other’s code.

People could audit in the languages they know best. Workloads could rotate. Everyone would benefit and nobody would get financially crushed in the process.

This is where confidentiality matters. If people are going to audit each other’s code, there should be simple boilerplate NDA agreements available for anyone who wants them. Not everyone is comfortable sending their unreleased work or private repo links into the wild. Some folks also prefer sharing source files privately before anything is public, because all kinds of vulnerabilities can be spotted immediately in static front end code if someone knows what they are doing (you can open the Java Console in the web browser and sift the entire codebase)…

Until a project is fully reviewed and ready, privacy and controlled access are part of staying responsible.

I also have a few apps that I would genuinely consider sharing publicly and maybe even shipping as mobile releases on the app stores if they were properly audited by real humans first. I would want to make sure any vulnerabilities are addressed and maybe even refine or remove the need for API fallbacks in certain areas so the apps could stay cheap enough to run without ever needing monetization through ads.

Clear ways to protect intellectual property or proprietary code, such as boilerplate documents and basic contracts, would be incredibly useful too.

If this post is well received, maybe I will make another one focused on that topic.

Thanks for any pointers.

(post deleted by author)

(post deleted by author)

Steve answers a lot of questions on this forum and has individually gone out of his way to help a lot of people out here.

Also there’s way easier ways to using non-Replit agents like the SSH tool or just running in the shell.

I want human auditors my friend humans…

Did not delete.

This was the OP objective lol

(post deleted by author)

(post deleted by author)

(post deleted by author)

@kody-replit @FranciscoCM

(post deleted by author)

(post deleted by author)

not sure if this helps, but the secrets held by replit should be fairly secure. on my https://reels2.recipes app i purposefully limited the number of recipes that could be generated to 10 per day based on the ip address.

That does help, and it is a good idea.

However, I have personally learned how to bypass certain IP barriers, and it made me realize how easily a clever actor could still exploit things.

Especially if they are not your friend. Most people who look for vulnerabilities are not doing it with good intentions. That is exactly why we talk about white hats, gray hats, and black hats.

For better or worse, I have experimented in the gray-hat space just to understand how these things work, and applying that knowledge to my own projects has been humbling.

There will always be people out there with skills far beyond your own. That is where humility becomes essential, and why real human reviews, outside audits, and second opinions matter far more than people think.

Btw… If you ever want me to take a look at your setup in a controlled and ethical way, let me know. I am not promising anything, and I am not claiming it is even possible with your system. I simply know that tunnel vision is our biggest enemy, and sometimes you need a neutral set of eyes to test whether things are as secure as they appear.

To be clear, I would only attempt anything with your full consent and only in a safe, coordinated environment. I would never use your generosity or your shared app link as an attack vector.

If you wanted me to try anything, it would require explicit permission and clear boundaries to make sure nothing results in unexpected charges or financial risk.

If you are open to a small, controlled experiment where I attempt to bypass an IP-based restriction using something like a VPN or similar technique, I am willing to try it. Only if the scope is defined, the parameters are safe, and the cost is capped at something small enough that I could reasonably cover or split with you.

I am offering this because it is always better to find weaknesses under controlled conditions than to discover them while you are on vacation and wake up to eleven hundred dollars in surprise usage fees from someone you have never met.

It’s why I secretly started liking how you can put off paying Replit subscriptions, and your apps go down until you do… At least for a one member team like me.

It means I can take my vacation, not have to unpublish everything, then when I’m back and clear headed I can make my subscription payment and bring things back online.

Obviously, this isn’t helpful if you have such a heavy user base, and or they heavily rely on your services or use them everyday. Although, if that was the case you’d more than likely have it setup differently, and you’d probably have trusted members (or member) to provide services while you’re away or monitor it for you. Otherwise, perhaps you’re a real risk taker, or you don’t mind monitoring it while on vacation.

If that’s the case though, I’d argue, that you are not on a vacation then … you would just working in a different place!

An attacker with malicious intents will not (normally) say “I’ll wait to attack until they get back from vacation”. That would be ideal, however, more than unlikely…

Instead they’ll attack you when you are on vacation. If that happens… Well… You could be on the phone with credit card companies trying to determine real charges from fake, and there goes the vacation…

And again, I am not saying it is possible or that I could succeed. It may be locked down perfectly. I am simply offering to run through it as a controlled, educational trial.

Your method is still useful though. I am just adding another perspective.