Skip to main content

Autonomous Security Vulnerability Scanner

Project description

๐Ÿ›ก๏ธ VibeScan

Autonomous Security Vulnerability Scanner โ€” scans any codebase for security bugs using static analysis and returns a rich, actionable report.


Features

Scanner Detects
๐Ÿ”‘ Secrets 80+ patterns โ€” AWS keys, GitHub tokens, Stripe keys, JWT secrets, private keys, DB connection strings
๐Ÿ’‰ SQL Injection String concat / f-strings / .format() in SQL queries; ORM raw() calls
๐Ÿ’ป Command Injection os.system, subprocess(shell=True), eval(), exec(), JS child_process.exec, PHP system()
๐ŸŒ XSS mark_safe(), Jinja2 |safe, innerHTML, document.write, React dangerouslySetInnerHTML, PHP echo $_GET
๐Ÿ“ Path Traversal User input in os.path.join, open(), Flask send_file
๐Ÿ“ฆ Insecure Deserialization pickle.load, yaml.load without SafeLoader, marshal, shelve, PHP unserialize, Java ObjectInputStream
๐Ÿ” Weak Crypto MD5/SHA1, DES/RC4, ECB mode, small RSA keys, random for security, disabled SSL, hardcoded IVs
๐Ÿ“ข Sensitive Data Exposure Logging passwords, DEBUG=True, Flask debug=True, weak SECRET_KEY, env vars in responses
๐Ÿ“‹ Dependencies Known CVEs in requirements.txt and package.json (offline, bundled DB of 16 high-impact CVEs)

Installation

cd vibescan
pip install -e .

Or without installing (run directly):

pip install colorama pyyaml

Usage

Basic scan (terminal output only)

python -m vibescan.cli scan /path/to/your/project

Generate a Markdown report

python -m vibescan.cli scan /path/to/your/project --output report.md

Generate a JSON report

python -m vibescan.cli scan /path/to/your/project --output report.json --format json

Filter by minimum severity

python -m vibescan.cli scan /path/to/your/project --severity HIGH

Scan the included sample vulnerable project

python -m vibescan.cli scan ./sample_vulnerable --output report.md

Output

Terminal โ€” Colorized, severity-tagged findings with file:line references and one-line fix previews:

  [CRITICAL] Hardcoded AWS Access Key ID
  โ”Œโ”€ sample_vulnerable/app.py : line 14
  โ”œโ”€ CWE: CWE-798  โ€ข  Scanner: SecretsScanner
  โ”œโ”€ Hardcoded AWS Access Key ID detected.
  โ””โ”€ Fix: Remove from source code. Use environment variables or AWS IAM roles.

Markdown Report โ€” Full report with severity tables, CWE links, code snippets, fix guidance, and a JSON summary block.


Configuration (optional)

Create .vibescan.yml in your project root:

min_severity: HIGH           # Only report HIGH and CRITICAL
exclude_dirs:
  - vendor
  - migrations
  - __pycache__
enabled_scanners:             # Leave empty to run all 9
  - secrets
  - sql_injection
  - command_injection
extra_secret_patterns:        # Your own regex patterns
  - "MY_INTERNAL_TOKEN_[A-Z0-9]{20}"

Exit Codes

Code Meaning
0 Scan complete, no CRITICAL findings
1 CRITICAL findings detected

Use in CI/CD:

python -m vibescan.cli scan . --severity HIGH || exit 1

Project Structure

vibescan/
โ”œโ”€โ”€ vibescan/
โ”‚   โ”œโ”€โ”€ cli.py              # CLI entry point
โ”‚   โ”œโ”€โ”€ engine.py           # File walker + dispatcher
โ”‚   โ”œโ”€โ”€ config.py           # .vibescan.yml loader
โ”‚   โ”œโ”€โ”€ models.py           # Finding, ScanResult, Severity
โ”‚   โ”œโ”€โ”€ report.py           # Markdown + JSON report generator
โ”‚   โ””โ”€โ”€ scanners/
โ”‚       โ”œโ”€โ”€ secrets.py
โ”‚       โ”œโ”€โ”€ sql_injection.py
โ”‚       โ”œโ”€โ”€ command_injection.py
โ”‚       โ”œโ”€โ”€ xss.py
โ”‚       โ”œโ”€โ”€ path_traversal.py
โ”‚       โ”œโ”€โ”€ deserialization.py
โ”‚       โ”œโ”€โ”€ weak_crypto.py
โ”‚       โ”œโ”€โ”€ sensitive_data.py
โ”‚       โ””โ”€โ”€ dependencies.py
โ””โ”€โ”€ sample_vulnerable/      # Deliberately vulnerable test project

โš ๏ธ Do not deploy sample_vulnerable/ โ€” it contains intentional security flaws for testing purposes only.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

chandan_vibescan-1.0.0.tar.gz (51.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

chandan_vibescan-1.0.0-py3-none-any.whl (63.6 kB view details)

Uploaded Python 3

File details

Details for the file chandan_vibescan-1.0.0.tar.gz.

File metadata

  • Download URL: chandan_vibescan-1.0.0.tar.gz
  • Upload date:
  • Size: 51.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for chandan_vibescan-1.0.0.tar.gz
Algorithm Hash digest
SHA256 d73676fad7b1085a33a87e7126b31109c815853800ab942ba12d6e5629c85406
MD5 349b3a7287fe240f67bf835ca502f5a7
BLAKE2b-256 fc4bae8d8d9500462d3d029e976ed97e9e99fe601cc38a399225cd54dc7a7686

See more details on using hashes here.

File details

Details for the file chandan_vibescan-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for chandan_vibescan-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ce7bc1796a74c33a461d5a35132f219368b7d0d19fc06aec34a709cf7437c9e0
MD5 c2fac63b30688330b218c52bf02eda92
BLAKE2b-256 54c548811be8fae5bfa6832ce4c7014e303e6b088b32490ad0748bae49fce041

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page