Autonomous Security Vulnerability Scanner
Project description
๐ก๏ธ VibeScan
Autonomous Security Vulnerability Scanner โ scans any codebase for security bugs using static analysis and returns a rich, actionable report.
Features
| Scanner | Detects |
|---|---|
| ๐ Secrets | 80+ patterns โ AWS keys, GitHub tokens, Stripe keys, JWT secrets, private keys, DB connection strings |
| ๐ SQL Injection | String concat / f-strings / .format() in SQL queries; ORM raw() calls |
| ๐ป Command Injection | os.system, subprocess(shell=True), eval(), exec(), JS child_process.exec, PHP system() |
| ๐ XSS | mark_safe(), Jinja2 |safe, innerHTML, document.write, React dangerouslySetInnerHTML, PHP echo $_GET |
| ๐ Path Traversal | User input in os.path.join, open(), Flask send_file |
| ๐ฆ Insecure Deserialization | pickle.load, yaml.load without SafeLoader, marshal, shelve, PHP unserialize, Java ObjectInputStream |
| ๐ Weak Crypto | MD5/SHA1, DES/RC4, ECB mode, small RSA keys, random for security, disabled SSL, hardcoded IVs |
| ๐ข Sensitive Data Exposure | Logging passwords, DEBUG=True, Flask debug=True, weak SECRET_KEY, env vars in responses |
| ๐ Dependencies | Known CVEs in requirements.txt and package.json (offline, bundled DB of 16 high-impact CVEs) |
Installation
cd vibescan
pip install -e .
Or without installing (run directly):
pip install colorama pyyaml
Usage
Basic scan (terminal output only)
python -m vibescan.cli scan /path/to/your/project
Generate a Markdown report
python -m vibescan.cli scan /path/to/your/project --output report.md
Generate a JSON report
python -m vibescan.cli scan /path/to/your/project --output report.json --format json
Filter by minimum severity
python -m vibescan.cli scan /path/to/your/project --severity HIGH
Scan the included sample vulnerable project
python -m vibescan.cli scan ./sample_vulnerable --output report.md
Output
Terminal โ Colorized, severity-tagged findings with file:line references and one-line fix previews:
[CRITICAL] Hardcoded AWS Access Key ID
โโ sample_vulnerable/app.py : line 14
โโ CWE: CWE-798 โข Scanner: SecretsScanner
โโ Hardcoded AWS Access Key ID detected.
โโ Fix: Remove from source code. Use environment variables or AWS IAM roles.
Markdown Report โ Full report with severity tables, CWE links, code snippets, fix guidance, and a JSON summary block.
Configuration (optional)
Create .vibescan.yml in your project root:
min_severity: HIGH # Only report HIGH and CRITICAL
exclude_dirs:
- vendor
- migrations
- __pycache__
enabled_scanners: # Leave empty to run all 9
- secrets
- sql_injection
- command_injection
extra_secret_patterns: # Your own regex patterns
- "MY_INTERNAL_TOKEN_[A-Z0-9]{20}"
Exit Codes
| Code | Meaning |
|---|---|
0 |
Scan complete, no CRITICAL findings |
1 |
CRITICAL findings detected |
Use in CI/CD:
python -m vibescan.cli scan . --severity HIGH || exit 1
Project Structure
vibescan/
โโโ vibescan/
โ โโโ cli.py # CLI entry point
โ โโโ engine.py # File walker + dispatcher
โ โโโ config.py # .vibescan.yml loader
โ โโโ models.py # Finding, ScanResult, Severity
โ โโโ report.py # Markdown + JSON report generator
โ โโโ scanners/
โ โโโ secrets.py
โ โโโ sql_injection.py
โ โโโ command_injection.py
โ โโโ xss.py
โ โโโ path_traversal.py
โ โโโ deserialization.py
โ โโโ weak_crypto.py
โ โโโ sensitive_data.py
โ โโโ dependencies.py
โโโ sample_vulnerable/ # Deliberately vulnerable test project
โ ๏ธ Do not deploy
sample_vulnerable/โ it contains intentional security flaws for testing purposes only.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file chandan_vibescan-1.0.0.tar.gz.
File metadata
- Download URL: chandan_vibescan-1.0.0.tar.gz
- Upload date:
- Size: 51.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d73676fad7b1085a33a87e7126b31109c815853800ab942ba12d6e5629c85406
|
|
| MD5 |
349b3a7287fe240f67bf835ca502f5a7
|
|
| BLAKE2b-256 |
fc4bae8d8d9500462d3d029e976ed97e9e99fe601cc38a399225cd54dc7a7686
|
File details
Details for the file chandan_vibescan-1.0.0-py3-none-any.whl.
File metadata
- Download URL: chandan_vibescan-1.0.0-py3-none-any.whl
- Upload date:
- Size: 63.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ce7bc1796a74c33a461d5a35132f219368b7d0d19fc06aec34a709cf7437c9e0
|
|
| MD5 |
c2fac63b30688330b218c52bf02eda92
|
|
| BLAKE2b-256 |
54c548811be8fae5bfa6832ce4c7014e303e6b088b32490ad0748bae49fce041
|