Will It Vibe?
SEC-018Low severity-4 points

No input validation library

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

An API server dependency (Express/Fastify) was found with no schema-validation library for incoming request data.

Why it matters

Without schema validation, every route trusts that request bodies and query strings have the right shape, so a missing field or wrong type surfaces as a 500 or a bad database write. Malicious extra fields also flow straight through to your models. A validation layer turns all of that into clean 400 responses.

How to fix it

Add a schema library (zod fits TypeScript projects well; joi, yup, or express-validator also work) and validate at the route boundary: parse req.body, req.query, and req.params before your handler logic runs, and use the parsed result rather than the raw request. Start with the routes that write to the database.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks