How to Run Your First AuditBuffet Audit
How to Run Your First AuditBuffet Audit
You've got a vibe-coded app. It works. Users can click things. But you have that nagging feeling that your AI coding tool skipped some important stuff. Here's how to find out in about 15 minutes.
Step 1: Pick a starting audit
Head to auditbuffet.com and browse the audit library. If you're not sure where to start, go with Security Headers & Basics — it's free, it's fast, and it almost always finds something.
Six audits are completely free, no account needed:
- Stack Scan — detects your tech stack
- SEO Fundamentals — meta tags, sitemaps, structured data
- Security Headers & Basics — CSP, HSTS, and 17 more checks
- Accessibility Fundamentals — ARIA, keyboard nav, heading structure
- Performance & Load Readiness — Core Web Vitals, bundle size
- Mobile Responsiveness — viewport, touch targets, responsive layouts
For your first run, pick one. Don't try to audit everything at once.
Step 2: Copy the audit prompt
Each audit page has a prompt you copy to your clipboard. That's it — no SDK, no npm package, no configuration file. The prompt contains everything: the checks to run, the output format, and the scoring rules.
Step 3: Run it in your AI coding tool
Paste the prompt into whatever you're already using — Claude Code, Cursor, Bolt, Windsurf, or any AI tool that can read your codebase. The audit needs access to your project files, so run it from the project root.
A few tips:
- Don't interrupt it. Let the audit run to completion. Partial results aren't useful.
- Save the raw output. The audit produces both a human-readable report and a JSON telemetry block. You'll want both.
- Context window matters. Larger projects may need a tool with a bigger context window. If the audit seems to skip files, that's usually why.
Step 4: Read the report
The audit output has two parts. The human-readable report is what you'll actually read — it lists every check, whether it passed or failed, and specific remediation steps for failures.
The interesting part is the scoring. Each check has a severity weight:
| Severity | Weight | Examples | |----------|--------|----------| | Critical | 10 | Missing HTTPS, no auth on admin routes, SQL injection | | Warning | 3 | Missing CSP header, no error boundary, poor color contrast | | Info | 1 | Missing meta description, no favicon, verbose console logs |
Your category score is the sum of passing check weights divided by total applicable check weights, times 100. Checks that were skipped or errored out don't count against you — they're excluded from both numerator and denominator.