ismycodesafe.com
DIGITAL PRODUCT · INSTANT DELIVERY

Ship AI-generated code without shipping AI-generated vulnerabilities.

A 62-item checklist, 18 prompts you paste into Cursor / Claude Code, a working GitHub Actions workflow, and a security review template. Built from 500+ scans per month of real AI-coded apps.

$19 → $99·Lifetime updates·14-day refund·By Roy Morken

Why this exists

Most AI-coding incidents in 2025-2026 are not novel attacks. They're the classics generated faster:

  • · Secrets committed because the model dropped a .env into the diff.
  • · SQL injection from an f-string the model wrote in 4 lines.
  • · Auth checks missing on a route that didn't exist last week.
  • · Wildcard CORS on an API the model bolted on in an evening.
  • · Typo-squatted dependencies the model "helpfully" imported.

The free OWASP top 10 tells you what to worry about. This tells you what to do about it - as part of how you actually work with AI tools.

Pick a tier

All tiers include lifetime updates and a 14-day refund. Buy the smallest one that fits - upgrade later if you need more.

You picked
Pro - $49

Secure checkout via Stripe. Instant delivery. 14-day refund if it's not useful.

What's in the checklist

8 sections, 62 items. Excerpts below; the full PDF is what you'll get.

1. Before you prompt

  • Define the threat model in one sentence
  • Pin framework + version in the prompt
  • Add "no new dependencies unless I approve them" to the system prompt

2. Prompt hygiene

  • Never paste real secrets, customer data, or prod logs into a prompt
  • Don't ask for "a secure X" - specify constraints
  • Don't merge code you can't explain line by line

3. Secrets & credentials

  • Secret scanner on every diff before merge (gitleaks / trufflehog)
  • Tokens with prefix sk-, ghp_, glpat-, AKIA are detected by bots within 60 seconds
  • If a secret was ever in git history, rotate it

4. Dependencies

  • Verify every new dep: last publish, weekly downloads, open CVEs
  • Reject deps with <100 weekly downloads unless personally vetted
  • Check package name letter-by-letter (typo-squatting)

5. Input handling & validation

  • Schema validation at every API boundary (zod, pydantic, joi)
  • Parameterize every database query - no f-string SQL
  • Reject any eval(), exec(), Function() on user input

6. Authentication & authorization

  • Use an established auth library - never let the AI roll its own
  • Authorization belongs server-side; React render checks are not access control
  • Hash with bcrypt / argon2 / scrypt at default cost - no SHA-256

7. Logging & errors

  • Log every auth failure, every 403, every unhandled exception
  • Never log full request bodies, passwords, tokens, full emails
  • Return generic errors to users; verbose only in server logs

8. Before you deploy

  • Headers + TLS + sensitive-paths scan
  • /.env, /.git/config return 404
  • Rate limits on /login, /signup, /api/*

The prompt pack (Pro + Team)

18 prompts paste-ready into Cursor / Claude Code / your AI assistant. Here's one verbatim:

# Security review of a diff Use when: Before merging an AI-generated PR. You are a senior application security engineer reviewing this diff for a production web app. List concrete vulnerabilities only - no style notes, no praise. For each finding: file:line, severity (Critical/High/Medium/Low), OWASP category, and the exact one-line fix. If you find nothing, say "no findings" - do not invent issues. Diff follows: {DIFF}

17 more like this in the bundle. Threat modeling, refactor without behavior change, find missing validation, race conditions, CORS audit, CSP generation, dep sanity check, before-deploy gate, more.

The GitHub Actions workflow (Pro + Team)

Drop into .github/workflows/ai-safety.yml. Runs on every PR: gitleaks (secrets), npm/pip/govulncheck (dependencies), Semgrep (SAST), and posts a structured review reminder.

name: ai-safety on: pull_request: branches: [main, master, develop] jobs: secret-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run gitleaks uses: gitleaks/gitleaks-action@v2 # ... [truncated - full file in bundle]

Frequently asked questions

Who is this for?

Developers shipping code generated with Cursor, Claude Code, Copilot, or any other AI coding assistant. Solo devs to small teams. Especially useful if you're shipping to production weekly and don't have a dedicated security engineer.

How is this different from a free OWASP checklist?

OWASP is a reference. This is a workflow. The checklist is paired with production-tested prompts you paste into Cursor / Claude Code, a GitHub Actions workflow that gates every PR, and a security review template you drop into your PR description.

What's the refund policy?

14-day, no-questions-asked refund. Email roy.morken@gmail.com and you'll get the money back the same day.

Are updates included?

Yes. All tiers include lifetime updates. When the prompts, workflow, or checklist get a new version - which happens every few weeks as new AI tools and patterns emerge - you'll get an email with the new download link.

Can I share this with my team?

Basic is personal use. Pro is one developer. Team is licensed for up to 5 developers in your organization. If you need more seats, email roy.morken@gmail.com.

What format is delivered?

A single ZIP file: PDF checklist, before-you-deploy PDF, prompt pack (Markdown), GitHub Actions YAML, security review template, and on Team the onboarding playbook + license. Instant delivery after Stripe confirms payment.

Why should I trust this guy?

Roy Morken built ismycodesafe.com, ran the YC Security Audit 2026 (100 YC companies scanned), and pushes 500+ scans/month against real production apps. The checklist is built from those scans plus incident retros - not from a generic OWASP cheat sheet.

Stop hoping your AI code is safe.

Know it is. Buy the bundle. Run it through your next PR. If it doesn't catch something within 14 days, you get your money back, no questions.

Get the Pro bundle - $49