Testing Guide
Automated Testing for Vibe Coded Apps: How to Ship Fast Without Breaking Everything
Vibe coding lets you ship features in hours instead of days. But without test coverage, two features later something silently breaks and nobody notices until a user complains. This guide covers how to add automated E2E tests, security scans, and regression guardrails to AI-generated code without slowing down the velocity that makes vibe coding worth doing in the first place.
“A recent experiment pointed an AI pentester at a vibe-coded quiz app and found 22 security vulnerabilities the developer didn't know about. Most were injection flaws and missing input validation that automated scanning would have caught before deploy.”
r/AgentsOfAI, 2026
1. The Regression Problem Nobody Talks About
Vibe coding with tools like Cursor, Claude Code, or Copilot is fast because you describe what you want and the AI generates working code. The first feature works. The second feature works. Then you add the third feature and the first one silently breaks. Not with a crash or an error, but with subtle behavior changes: a form that used to validate email addresses now accepts anything, a checkout flow that skips the confirmation step, an API endpoint that returns stale data.
This happens because AI code generation treats each prompt as independent context. When you ask for feature C, the model might refactor a shared utility that features A and B depend on. It looks correct in isolation. The linter passes. TypeScript compiles. But the behavioral contract that feature A relied on is gone, and there is nothing in the codebase to catch it because there are no tests covering that behavior.
The traditional answer is to write unit tests. But vibe-coded apps change structure rapidly. Functions get renamed, files get moved, components get merged. Unit tests that are tightly coupled to implementation details break constantly, creating noise that developers learn to ignore. The better answer for vibe-coded applications is end-to-end tests that verify user-visible behavior regardless of how the underlying code is structured.
2. Security Gaps in AI-Generated Code
Security is the other blind spot. AI models are trained on vast amounts of code, including insecure patterns. When generating authentication flows, form handlers, or API routes, models frequently produce code with common OWASP vulnerabilities: missing input sanitization, SQL injection via string concatenation, cross-site scripting through unescaped user content, and exposed API keys in client-side bundles.
The 22-vulnerability experiment that made the rounds on Reddit is not an outlier. Studies from Stanford and other institutions have shown that developers using AI assistants produce code with more security vulnerabilities than those coding manually, while simultaneously being more confident that their code is secure. The speed of vibe coding amplifies this: you ship so fast that there is no pause to think about edge cases, error handling, or adversarial inputs.
Automated security scanning (SAST/DAST) catches the most common issues before they reach production. Tools like Semgrep, Snyk, and CodeQL can run in CI alongside your tests. For web applications, combining static analysis with E2E tests that include adversarial input scenarios (XSS payloads in form fields, SQL injection strings in search bars) creates a practical security net that does not require manual security review of every AI-generated change.
Security checklist for vibe-coded apps
- Run SAST scanner on every commit (Semgrep, CodeQL, Snyk)
- Add E2E tests with adversarial input payloads
- Check for exposed secrets with tools like gitleaks or trufflehog
- Validate authentication flows cover token expiry and session hijacking
- Test authorization: verify users cannot access other users' data
Tired of writing tests for AI-generated code?
Assrt auto-discovers test scenarios from your running app and generates real Playwright tests. Open-source, no vendor lock-in.
Get Started →3. Building an E2E Test Strategy for Vibe Coded Apps
The key insight for testing vibe-coded apps is that your tests should mirror user behavior, not code structure. Define test scenarios around critical user journeys: signing up, logging in, completing a purchase, submitting a form, uploading a file. These journeys remain stable even when the AI completely rewrites the underlying implementation.
Start with the flows that lose you money or users when they break. For most web apps, that means: authentication (can users sign up and log in), the core value action (whatever the app primarily does), and payment (if applicable). Three to five well-written E2E tests covering these flows catch more regressions than fifty unit tests scattered across utility functions.
The problem with writing these by hand is maintenance. In a vibe-coded app, the signup form might change from email/password to a magic link flow overnight because you prompted the AI to "make auth simpler." Your hand-written selectors break immediately. This is where self-healing test frameworks and auto-discovery tools become essential.
4. Auto-Discovering Test Scenarios Instead of Writing Them by Hand
Writing E2E tests manually is the bottleneck that makes most vibe-coded projects skip testing entirely. The code changes too fast. By the time you write a test suite for the current UI, the AI has already restructured three pages.
A newer approach is automated test discovery. Tools crawl your running application, identify interactive elements, map user flows, and generate test scenarios automatically. Some generate proprietary YAML or custom DSLs. Better ones generate real Playwright test files that you own and can modify.
The discovery approach fits vibe coding because it matches the same mental model: describe the target (your app URL), let AI figure out the details. When the AI rewrites your frontend, you re-run discovery and get updated tests. No manual test maintenance.
5. Self-Healing Selectors for Constantly Changing UIs
The biggest maintenance cost in E2E testing is brittle selectors. You write a test that clicks button.submit-btn and the next AI prompt renames it to button[data-action="submit"]. Your test fails not because the feature is broken, but because the CSS class changed.
Self-healing selectors solve this by maintaining multiple ways to identify each element: text content, ARIA roles, position in the DOM tree, and visual appearance. When the primary selector breaks, the framework tries alternatives and auto-updates the test file. For vibe-coded apps where the DOM structure changes constantly, this is the difference between a test suite that provides value and one that creates more work than it saves.
Traditional selectors vs self-healing
// Breaks when AI renames the class
await page.click('.btn-primary.submit-form');
// Breaks when DOM structure changes
await page.click('div > form > div:nth-child(3) > button');6. Wiring Tests Into Your CI Pipeline
Tests that do not run automatically are tests that will stop running. For vibe-coded apps, the CI pipeline is your safety net. Every push should trigger: (1) your E2E test suite against a preview deployment, (2) a static security scan, and (3) visual regression checks if your app has significant UI.
Most vibe-coded apps deploy to Vercel, Netlify, or similar platforms that generate preview URLs for every push. Run your E2E tests against these preview deployments. This catches regressions before they merge to main, without needing a local test server setup.
7. Tools That Fit the Vibe Coding Workflow
Not all testing tools are built for the pace of vibe coding. Here is what to look for and some options in each category.
| Category | Tool | Why It Fits |
|---|---|---|
| E2E Framework | Playwright | Multi-browser, fast, great trace viewer for debugging |
| Test Discovery | Assrt | Auto-discovers scenarios, generates real Playwright files, open-source |
| Security (SAST) | Semgrep | Fast, configurable rules, works in CI, free for open source |
| Secret Detection | gitleaks | Catches API keys, tokens before they hit the repo |
| Visual Regression | Playwright Screenshots | Built into Playwright, no extra tool needed |
The main thing to avoid is tools that require extensive configuration or generate proprietary test formats. With vibe-coded apps, you want tools where the output is standard code you can inspect, modify, and run with standard runners. If you stop using the tool, your tests should still work. Zero vendor lock-in is not a nice-to-have, it is a requirement when your workflow moves this fast.