BridgeMindbridgemind.ai viewers: Get Snitch free $49.99 $0

blog

From the
team.

Thoughts on AI security, what we're building, and where this is going.

April 16, 2026

Auditing a real app: what Snitch found in vibeHealth

We pointed Snitch at vibeHealth, a Next.js healthcare app written almost entirely with AI assistance. Seven findings in four categories. Two of them were severity Critical. Here’s what the scan returned, what Snitch does with findings like these, and why this kind of audit needs to exist in the age of vibe coding.
7findings
2critical
4 / 8new categories hit
0false positives

What the scan found

Four representative findings from the run:

  • CriticalCloud metadata SSRFapp/api/appointments/route.ts:47

    An endpoint fetched a user-supplied callback URL with no validation. With @aws-sdk/client-s3 in the stack, an attacker could redirect that fetch at the AWS metadata endpoint and exfiltrate IAM credentials.

  • CriticalMalicious install-script patternpackage.json:6

    The preinstall script silently curled an external URL and swallowed failures. If that host is ever compromised or name-squatted, every developer and CI machine runs whatever it returns — with failure hidden behind `|| true`.

  • HighReDoS in email validatorapp/api/validate/route.ts:6

    An email regex used nested quantifiers — the classic shape for catastrophic backtracking. One crafted request can pin the event loop and stall the process.

  • HighPrototype pollution via user JSONapp/api/validate/route.ts:23

    Object.assign was given a JSON-parsed user object. That path invokes the __proto__ setter, polluting Object.prototype for every other request the worker handles.

What Snitch does with a finding

Every finding in the report carries the same payload: file path, line number, the exact code evidence, the risk in plain language, a concrete fix, and CWE, OWASP Top 10:2025, and CVSS 4.0 tags. No hand-waving. If Snitch cannot show you the vulnerable line, it does not report it — that rule is baked into the skill itself.

After the report is displayed, Snitch offers to fix findings one by one or in a batch. Scanning and fixing are always two phases. The scan is read-only. Nothing touches your files until you pick a fix and confirm it.

Why Snitch exists

AI coding tools write most of the code now. They’re fast, they’re capable, and they’re good enough that the demo always works. But demos aren’t the failure mode. The failure mode is the webhook that doesn’t verify signatures, the callback URL that is never validated, the regex that looks like email validation but is actually a denial-of-service switch.

Traditional scanners drown you in 500 findings. Ad-hoc AI review prompts miss the structural classes of bugs. Snitch sits in the middle — 68 structured categories, evidence-first reporting, contextual false-positive suppression. First line of defense for code that was vibe-coded into existence in the first place.

One audit, every model you vibe with

Vibe coding isn’t one model anymore. Developers reach for whichever frontier model is best at the task in front of them. Snitch runs inside all of them:

  • Claude Opus 4.7 — inside Claude Code
  • OpenAI Codex 5.4 — inside Codex CLI
  • Gemini 3.1 Pro — inside Gemini CLI

Same catalog, same evidence requirements, same fix flow — whichever model you’re pairing with. The vibeHealth audit you just read was executed by Claude Opus 4.7. The exact same scan, run by Codex 5.4 or Gemini 3.1 Pro, produces the same findings.

Snitch is a security audit plugin that runs inside your AI coding tool. 68 categories, evidence for every finding, works with 30+ tools. Get it at /plugin.

April 16, 2026

Snitch 7.1 — 8 new security categories

Snitch 7.1 is live. Eight new security categories, bringing the catalog to 68, rolled out to every plan. If you have Snitch installed today, the upgrade is one command.

What’s new

These target the classes of bugs we kept seeing in audits without a dedicated check for them:

  • ReDoSregex patterns that hang your server on crafted input
  • Prototype Pollution__proto__ and deep-merge attacks through user JSON
  • JWT Algorithm Attackssignature bypass and algorithm confusion
  • Cloud Metadata SSRFoutbound fetches that leak AWS / Azure / GCP credentials
  • Insecure DeserializationPython pickle, Java object streams, Ruby Marshal, PHP unserialize, unsafe YAML
  • Typosquatting & Install Scriptslookalike package names and suspicious postinstall hooks
  • Type Coercion Bypassesloose equality in auth paths, non–constant-time password comparisons
  • Agent Prompt InjectionRAG and tool-use patterns that let untrusted data steer the model

Every category ships with the same evidence requirements as the rest of Snitch — file path, line number, the exact code, a fix, and OWASP / CWE tags. No hand-wavy warnings. If Snitch can’t show you the vulnerable line, it won’t report it.

Every plan gets every category

Free, Base, Pro, and Enterprise all include the full catalog. Upgrade if you need more rulesets, more projects, or higher limits — not for category access.

How to upgrade

Check your original purchase email and run the install command you received. It pulls the latest version automatically:

curl -sL https://snitchplugin.com/x/YOUR_TOKEN.sh | sh
Prefer a manual upgrade? Open the license link from your purchase email — it has a fresh ZIP and the install command for your token. Re-run install.sh in the same directory and your custom rules and config stick around.

New here? Snitch is a security audit plugin that runs inside your AI coding tool. 68 categories, evidence for every finding, works with 30+ tools. Get it at /plugin.

March 2026

Why we built Snitch

AI coding tools write most of the code now. They’re fast, they’re good, but they learned from tutorials that cut corners. The code compiles, the tests pass, and the demo looks great. But nobody checked whether the webhook verifies signatures, whether the session token expires, or whether the admin route actually checks permissions before returning data.
We built Snitch because someone needs to check the code after the AI writes it. Not with a 500-finding scanner that drowns you in noise, but with structured categories that produce findings you can actually act on. 68 categories, evidence for every finding, works inside the tool you’re already using.
The goal was never to replace security teams. It was to catch the things that slip through when code gets written faster than anyone can review it. Snitch is the first pass — the one that makes sure the obvious stuff doesn’t ship.

April 2026

30+ tools and the Agent Skills standard

When we started, Snitch worked with 14 tools. Each one had its own way of loading skills — different directories, different formats, different conventions. We maintained separate configs for Claude Code, Cursor, Copilot, and every other tool that wanted to integrate. It worked, but it didn’t scale.
14 → 1integrations
30+tools supported
Then the Agent Skills open standard happened. Now a single SKILL.md file works across 30+ AI coding tools. We adopted the spec, and suddenly Snitch runs in tools we’ve never even tested on. That’s the power of an open standard — you write the skill once, and every tool that implements the spec gets it for free.
We went from maintaining 14 tool-specific integrations to maintaining one file. The install script detects which tools you have, drops the skill into the right directory, and you’re done. One command, every tool.

April 2026

Snitch and Claude Mythos

Anthropic announced Project Glasswing and Claude Mythos this week. A model that finds decades-old kernel bugs for $50. The benchmarks are staggering, but what caught our attention wasn’t the raw capability — it was what happens when you pair that capability with structured guidance.
We’ve been building a 74-category client specifically for Mythos — deep reasoning analysis, real-time exploit chain detection, and contextual severity scoring. When models get smarter, the structured framework that guides them gets more valuable, not less. A more capable model doesn’t need less structure. It needs better structure so it can apply that capability to the right problems.
We applied to Project Glasswing because we think structured scanning and a more capable model are a natural fit. Snitch gives the model the categories, the evidence format, and the audit methodology. Mythos brings the reasoning depth. More at /mythos.