Passing the Vibe Check

In February 2025, OpenAI researcher Andrej Karpathy coined the term “vibe coding” on social media. In his post, he described his process for developing a small project — without ever writing any code of his own.

The inception of the term “vibe coding.”

To build his “amusing throwaway weekend project,” Karpathy didn’t even need to touch a keyboard. He used superwhisper, an AI-powered voice to text transcriptor, to dictate application requirements to Cursor Composer. Cursor Composer, the AI-powered multi-file code editor and application generator, then translated the dictated instructions into a complete web app. Karpathy adjusted the app with the “dumbest” prompts like “decrease the padding on the sidebar by half” and accepted the changes without reviewing the diffs. When Karpathy encountered an issue that Cursor couldn’t fix, the OpenAI co-founder would just “ask for random changes” until the bug went away.

“It’s not really coding,” he admitted, “I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works.” (Emphasis mine.)

Look ma — no typing! A diagram of Karpathy’s vibe coding stack.

But the vibes were anything but good for Leonel Acevedo, CEO of EnrichLead. In March 2025, he posted on social media about the SaaS application he’d built with “zero hand written code,” concluding that everyone else could “continue to whine about it [AI] or start building.” This use of AI contrasts with Karpathy’s “throwaway” project as Acevedo was touting a production-ready SaaS application and implying a different level of robustness and real-world applicability.

Just a few days later, Acevedo posted that EnrichLead was under attack with “random things happening” such as maxed-out API keys, bypassed subscriptions, and corrupted databases. Because Acevedo isn’t technical, it took him longer than he anticipated to debug the code. Eventually he discovered that his vibed code exposed important API keys, making his app vulnerable to attack.

The worst kind of live debugging ever.

Accidentally pushing a hardcoded secret can be seen as a rite of passage for developers. This mistake is so common that GitHub has automatic alerting, and remediation for unintentionally publicized keys and tokens; at Sonar, we shifted that check further left by highlighting potential vulnerabilities right in your IDE. With the advent of “vibe coding,” incidents like the one EnrichLead experienced are likely to become more common. While it’s too soon to say if vibe coding will persist, one thing we know for sure is that AI-generated code is here and it’s here to stay.

And it’s just another iteration of the continuously evolving software development lifecycle.

💡 This article is designed to accommodate different learning and reading styles, so feel free to jump ahead.

• What is vibe coding?: A definition of vibe coding along with the associated tools, benefits, and disadvantages
• To vibe or not to vibe?: Surviving AI as a developer
• More than just vibes: How AI can help us become better developers
• Try it yourself: Tools and resources for surviving vibe coding

Vibe coding — or if you prefer a less cringey name, “AI coding” — is “an AI-dependent programming technique where a person describes a problem in a few sentences as a prompt to a large language model (LLM) tuned for coding.” Vibe coding relies exclusively on LLMs to interpret requirements and generate entire applications accordingly.

What tools are used for vibe coding?

The most popular vibe coding tools at the moment are Cursor and Windsurf. Both IDEs use Claude 3.5 Sonnet under the AI hood, but with different features and user experiences.

Cursor and Windsurf use the same LLM under the hood, but each IDE has its own vibes.

What are the benefits of vibe coding?

• Lower cost of entry: No coding knowledge, no problem! If you’ve got a good, well thought-out idea and can write a decent prompt, the code itself is no longer an obstacle.
• Higher development velocity: When you can let the IDE handle all of the code, prototyping and iteration cycles become quicker and easier.
• More room for complex and innovative problem solving: With the burden of writing boilerplate, class setups, basic CRUD operations, and other tedious tasks lifted, developers are free to focus on more high-level logic.
• A bridge for knowledge gaps: Even the most experienced developer faces the challenges of learning new technology — AI coding can facilitate quicker onboarding by supplying the fundamentals.

Prompting Cursor to generate a Pokédex Flask app …

… and it worked!

What are the disadvantages of vibe coding?

• Lack of consistency and predictability: It is important to remember that the output of LLMs is not deterministic. This can lead to a codebase with varying styles, structures, and approaches, rendering the code harder to understand, maintain, and debug predictably.
• An increased vector of bugs, errors, and security vulnerabilities: Because AI doesn’t actually “know” anything, a prompt may generate code with issues that a more experienced developer would know to avoid.
• Challenges in long-term maintainability and scalability: Without any context, an LLM may produce code that is inconsistent and with no consideration for future optimization.
• Less developer productivity: AI-generated code may not be well documented, increasing developer toil while trying to refactor, debug, or extend code. Moreover, trying to refine a prompt for a more desired outcome could take more time than just writing the code manually.

The problem with vibes: You probably know better than to include all your styling in your HTML template file … but AI doesn’t!

The software development lifecycle (SDLC) refers to a structured process for designing and building software. It is a rapidly evolving landscape wherein each iteration the role of the developer changes and adapts to address the latest challenges in software engineering.

In the earliest “code-and-fix” era, the developer was a lone coder, directly addressing issues as they arose with little formal process. The advent of the Waterfall model transformed the developer into a specialist within a linear process, focusing on specific stages like coding or testing after requirements were defined. Iterative and incremental models then required the developer to become more adaptable, working in smaller cycles and integrating feedback more frequently.

The rise of object-oriented methodologies shifted the developer towards architect and component builder, emphasizing modularity and reusability. The Agile revolution demanded the developer become a collaborative team member, engaging in frequent communication, adapting to changing requirements, and participating in all stages of the sprint. Finally, the Lean and DevOps era positions the developer as an integrated part of the entire delivery pipeline, involved in automation, deployment, and operations, with a broader responsibility for efficiency and reliability.

AI coding signals a new horizon for SDLC, and with that new day comes new opportunities for developers — as long as we’re prepared for them.

The evolution of the developer

By understanding the benefits and disadvantages of AI, you will be better equipped to continue to grow as a developer. After all — you are a developer. You’re smart and learning new technologies is what you do best.

• Familiarize yourself with AI coding tools for developers. Whether you call it “vibe coding” or “AI coding,” check out the different tools people are using. There’s nothing quite like hands-on experience to learn something new.
• Vibe, but verify. Get into a good practice of double-checking the AI’s work. With AI doing most of the heavy lifting, your job is more about diligently overseeing and reviewing the code rather than manually composing it. Employing a code quality tool like SonarQube could have prevented EnrichLead’s secret exposure.
• Embrace the opportunity to think more systematically. With AI handling all the nitty-gritty, you can focus more on solving more complex problems with more innovative solutions. You are more free to be an architect without having to be an expert on each component.
• Learn how to refine your prompts. LLMs like Claude respond better to clear, concise prompts that explicitly outline what is being requested and what the expected output is. Thinking more strategically about what your requirements are, what kind of design pattern you want to follow, how you are going to test your code, and how you are going to deploy and maintain it will help inform and improve your prompting.

💡 How could you formulate a prompt to avoid exposing secrets? What requirements or parameters would you include?

Waterfall, Agile, ad-hoc, DevOps, vibe coding — no matter what SDLC or tools we are using, as developers, we are concerned with efficiency, optimization, reliability, and maintainability. We want to make software that is useful and we don’t want to get paged in the middle of the night for an incident. AI can be a valuable tool that helps remove some of the more tedious tasks associated with development and free us to think more creatively; the potential disadvantages of AI mean we have the opportunity to be more deliberate and intentional in our work.

While we can’t predict exactly how AI will affect the software development lifecycle, we do know that no matter what direction it takes, code quality and security will always be central to meaningful, robust, and reliable software.

Just ask the guy at EnrichLead.

• For all you Java developers out there, Sonar developer advocate Jonathan Vila has posts on Java and code quality here.
• Interested in learning more about how Sonar can help you vibe better? Check out this tutorial.
• Still feeling a little AI anxiety? This article by UX Collective’s Pete Sena might help alleviate that.
• Whether we like it or not, AI is (probably) here to stay, so now’s a good time to start developing some good AI coding habits.
• No matter what, best practices will always be in style.