Vibe coding under the microscope: what static analysis finds in AI projects

Vibe coding is a trend where developers use AI to generate code without deeply understanding implementation details. The PVS-Studio team began systematically analyzing such projects using static analysis tools — and the first results proved surprisingly interesting.

What is Vibe Code

The term 'vibe coding' was popularized by Andrej Karpathy in early 2025. He described an approach where a developer states an intention, AI writes the code — and the programmer accepts the result without delving into implementation details. The speed of MVP creation with this approach increased dramatically: projects that used to take months now appear in weekends.

It was precisely such 'revolutionary' repositories — with bold claims and rapid MVPs — that caught PVS-Studio's attention. The team began systematically selecting public vibe-coded projects and running them through a static analyzer. The problem is that generation speed and code quality are different things.

AI models are good at reproducing patterns from training data, but don't understand business logic, edge cases, and invariants of a specific project. What works in a demo doesn't necessarily work under load.

What the Analyzer Finds

PVS-Studio is one of the oldest static analysis tools for C, C++, C#, and Java. Typical findings in vibe-coded projects form a predictable pattern:

• Null pointer dereference — code assumes an object always exists without checking edge cases
• Unused variables and dead code — AI generates 'backup' branches of logic that never execute
• Comparing a variable with itself — a classic typo in conditional statements
• Logical contradictions — a condition that either never executes or is always true
• Resource leaks — open file descriptors and network connections without closure

Notably: many of these errors don't manifest on the 'happy path' — which is precisely why vibe-coded projects look functional in demos but break at the first non-standard situation in production.

Why This Is a Systemic Problem

AI assistants are trained on code from GitHub — and GitHub contains a huge amount of code of varying quality. Models reproduce established patterns but lack a mechanism to verify correctness in a specific context: they don't know about business invariants, expected behavior under load, or security requirements.

'Vibe coding is when you completely surrender to AI,' —

Karpathy himself described the approach.

This doesn't mean the method is useless. Vibe coding works great for prototypes, throwaway scripts, and UI templates. But when a 'startup that will change the world' is built on such code, a static analyzer turns from an option into a necessity. An additional risk: a 'viber' developer often doesn't understand the generated code deeply enough to adequately assess the analyzer's findings. The warning exists, but what to do with it is unclear. This creates an illusion of control: run the analysis, get a list, ignore it — and move on.

What This Means

Vibe coding lowered the barrier to entry for development — and that's good. But it didn't automatically raise the bar for code quality. Static analysis remains a filter that separates 'it runs on my laptop' from 'ready for production'. Teams that take their vibe-coded projects seriously should add CI with an analyzer as early as possible — before technical debt becomes the main product.