AI-Native Platform to Secure Vibecoded Applications
Project description
🛡️ SecureVibes
🌐 securevibes.ai — Website, docs & blog
AI‑Native Security for Vibecoded Apps
SecureVibes uses Claude’s multi‑agent architecture to find security issues with concrete evidence. Agents coordinate to map your architecture, model threats, review code, and generate a clear report. An optional DAST phase validates exploitability via HTTP testing using auto‑discovered skills.
🚀 Quick Start
# Install for the latest release on PyPi (might not have all the latest changes in the code)
pip install securevibes
# NOTE: the package uploaded on PyPi might not have all the latest changes.
# I will try to release a new version of the package whenever there are significant changes/developments
# If you would rather use the version with the latest changes, you can do the following:
# Install for the latest version (might be buggy)
git clone https://github.com/anshumanbh/securevibes.git
cd securevibes
virtualenv env
. env/bin/activate
pip install -e packages/core
# Authenticate (choose one method)
# Method 1: Session-based (recommended)
# You could use your Claude subscription here, if you don't want to pay per API requests
claude # Run interactive CLI, then type: /login
# Method 2: API key
export ANTHROPIC_API_KEY="your-api-key-here"
# Scan your project
securevibes scan /path/to/code --debug
# The most important part
# Sit back and relax. Please be patient as the scans might take some time, depending upon the model being used.
Get your API key from: https://console.anthropic.com/
🔐 Runtime Safety Model
SecureVibes runs scan orchestration with Claude SDK permission_mode="default".
Runtime safety depends on explicit tool surfaces and scanner hooks (including repository-boundary guardrails, PR review artifact constraints, and DAST database CLI blocking).
Operational guidance:
- Run scans only on trusted repositories.
- Prefer isolated CI runners/containers for scans.
- Avoid running scans with access to production credentials or sensitive networks.
🤖 Agents
- Assessment →
SECURITY.md - Threat Modeling (STRIDE + technology-specific skills) →
THREAT_MODEL.json - Code Review →
VULNERABILITIES.json - Report Generator →
scan_results.json - DAST (optional) →
DAST_VALIDATION.json(validates via HTTP when --target-url provided)
🤖 Agentic Detection
SecureVibes automatically detects agentic applications (LLM APIs, agent frameworks, tool execution) and requires OWASP ASI threats in threat models. Override with --agentic or --no-agentic.
🌍 Supported Languages
11 Languages: Python, JavaScript, TypeScript, Go, Ruby, Java, PHP, C#, Rust, Kotlin, Swift
Smart Features:
- Auto-detects languages in your project
- Language-aware exclusions (Python:
venv/, JS:node_modules/, Go:vendor/) - Handles mixed-language codebases intelligently
For detailed language support and exclusion rules, see the full documentation.
🎯 Common Commands
# Default: creates .securevibes/scan_report.md (markdown format)
securevibes scan .
# Export JSON for CI/CD pipeline
securevibes scan . --format json --output security-report.json
# Custom markdown report (saved to .securevibes/custom_report.md)
securevibes scan . --format markdown --output custom_report.md
# Terminal table output (no file saved)
securevibes scan . --format table
# Focus on critical/high severity
securevibes scan . --severity high
# Fast scan with cheaper model
securevibes scan . --model haiku
# Quiet mode for automation
securevibes scan . --quiet
# Run individual sub-agents
securevibes scan . --subagent assessment
securevibes scan . --subagent code-review
securevibes scan . --subagent report-generator
# DAST (optional): skill‑gated dynamic validation
securevibes scan . --subagent dast --target-url http://localhost:3000
# Validates only when a matching skill is available (e.g., IDOR)
# Writes .securevibes/DAST_VALIDATION.json; no ad‑hoc files in repo
# Agentic detection override
securevibes scan . --agentic # Force ASI threat requirement
securevibes scan . --no-agentic # ASI threats optional
# Works with any supported language:
securevibes scan /path/to/go-app # Go project
securevibes scan /path/to/ruby-app # Ruby project
securevibes scan /path/to/mixed-stack # Multi-language project
# PR review (requires prior scan artifacts in .securevibes/)
securevibes pr-review . --base main --head feature-branch
securevibes pr-review . --range abc123~1..abc123
securevibes pr-review . --diff changes.patch
# Commit tracking (requires baseline scan and scan_state.json)
securevibes pr-review . --since-last-scan
securevibes pr-review . --since 2026-02-01
securevibes pr-review . --last 10
# Update base artifacts from PR findings
securevibes pr-review . --range abc123~1..abc123 --update-artifacts
# Clean transient PR artifacts before reruns
securevibes pr-review . --range abc123~1..abc123 --clean-pr-artifacts
# PR review output formats (default: markdown)
securevibes pr-review . --base main --head feature-branch --format markdown
securevibes pr-review . --base main --head feature-branch --format json --output pr_review.json
securevibes pr-review . --base main --head feature-branch --format table
# PR review severity threshold
securevibes pr-review . --base main --head feature-branch --severity high
# Catchup: pull latest + review since last full scan
securevibes catchup . --branch main
securevibes catchup requires a clean working tree (commit, stash, or discard local changes first).
PR review runtime controls:
# Timeout per PR review attempt in seconds (default: 240)
export SECUREVIBES_PR_REVIEW_TIMEOUT_SECONDS=300
# Number of PR review attempts before giving up (default: 4)
export SECUREVIBES_PR_REVIEW_ATTEMPTS=5
PR review fails closed if diff context would be truncated
(more than 16 prioritized files or any hunk over 200 lines).
PR review also fails closed when PR_VULNERABILITIES.json is not produced after retry attempts.
Split large reviews with smaller --range, --last, or --since windows.
PR review artifacts (written to .securevibes/):
DIFF_CONTEXT.json(parsed diff summary)PR_VULNERABILITIES.json(raw findings)pr_review_report.md(default markdown report)scan_state.json(commit tracking for pr-review/catchup)
⚙️ Configuration
Models
SecureVibes uses a three-tier priority system for model selection:
Priority Hierarchy:
- 🥇 Per-agent environment variables (highest)
- 🥈 CLI
--modelflag (applies to all agents) - 🥉 Default "sonnet" (fallback)
Examples:
# All agents use haiku
securevibes scan . --model haiku
# All use haiku, except code-review uses opus
export SECUREVIBES_CODE_REVIEW_MODEL=opus
securevibes scan . --model haiku
# Fine-grained control per agent
export SECUREVIBES_ASSESSMENT_MODEL=haiku
export SECUREVIBES_CODE_REVIEW_MODEL=opus
securevibes scan . # Others use default (sonnet)
Models: haiku (fast/cheap), sonnet (balanced), opus (thorough/expensive)
Per‑Agent Overrides
Override specific agent models via environment variables:
# Authenticate first (see Quick Start above)
# Override specific agent models (overrides CLI --model flag)
export SECUREVIBES_CODE_REVIEW_MODEL="opus" # Max accuracy
export SECUREVIBES_THREAT_MODELING_MODEL="sonnet"
export SECUREVIBES_PR_CODE_REVIEW_MODEL="sonnet"
# Control analysis depth (default: 50)
export SECUREVIBES_MAX_TURNS=75 # Deeper analysis
🐍 Python API (minimal)
import asyncio
from securevibes import Scanner
async def main():
# Auth via Claude Agent SDK:
# - ANTHROPIC_API_KEY or
# - Session token from `claude` CLI (/login)
scanner = Scanner(
model="sonnet", # Use shorthand: sonnet, haiku, opus
debug=True # Show agent narration for verbose output
)
result = await scanner.scan("/path/to/repo")
print(f"Found {len(result.issues)} vulnerabilities")
print(f"Cost: ${result.total_cost_usd:.4f}")
asyncio.run(main())
📚 Full Documentation
This is a quick reference for PyPI users. For comprehensive documentation, visit:
🌐 securevibes.ai — Full website with docs & blog
Including:
- 📖 How It Works
- ✨ Features
- 📝 Blog
👤 Author
Built by @anshumanbh
🌐 securevibes.ai — Website, docs & blog
🌟 Star the repo to follow development!
🙏 Acknowledgments
- Powered by Claude by Anthropic
- Built with Claude Agent SDK
- Inspired by traditional SAST tools, reimagined with AI
License: AGPL-3.0 | Requires: Python 3.10+
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file securevibes-0.4.0.tar.gz.
File metadata
- Download URL: securevibes-0.4.0.tar.gz
- Upload date:
- Size: 373.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cc92c967e53381d4c8ec78774b61b4790549a0c394e4fb1472271332b0b219ec
|
|
| MD5 |
a42a118f4e59689bbcd0e3d0364c8e3e
|
|
| BLAKE2b-256 |
52efd4839e267549e4c6db5da0a68a213c13a3f3696d95d664b48d84d43516ab
|
File details
Details for the file securevibes-0.4.0-py3-none-any.whl.
File metadata
- Download URL: securevibes-0.4.0-py3-none-any.whl
- Upload date:
- Size: 295.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
adad2a506ce847d9682c1782a565d4006b3d8bd5eca5931e188e8f452ff72f2d
|
|
| MD5 |
32b34c5d6afc16a15f6ef473a1d66fff
|
|
| BLAKE2b-256 |
0f9f79ddb015e7e301cd13badeb387b36d3fa88799c275ee846a6778e0313139
|
