🎵 Security auditor for vibe-coded repos — 95% deterministic, 25x cheaper than competitors
Project description
🎵 VibeCheck
Security auditor for vibe-coded repos — 95% deterministic, 25x cheaper than competitors.
VibeCheck scans your codebase for hard-coded secrets, SAST vulnerabilities, dependency issues, prompt injection surfaces, and compliance gaps — all in one command.
Installation
pip install vibe-check-cli
Quick Start
# Full scan on the current directory
vibe-check scan .
# Quick score only
vibe-check score .
# Initialize config + git hook
vibe-check init
Commands
vibe-check scan
🔍 Run a full security scan on a repository.
vibe-check scan [PATH] [OPTIONS]
| Argument / Option | Default | Description |
|---|---|---|
PATH |
. |
Path to the repository to scan |
--mode, -m |
full |
Scan mode: fast (no LLM) or full |
--format, -f |
terminal |
Output format: terminal, json, or markdown |
--exit-code, -e |
false |
Exit with code 1 if score is below threshold |
--threshold, -t |
60 |
Score threshold for --exit-code |
--severity, -s |
(all) | Filter findings: critical,high,medium,low,info |
--fail-on |
(none) | Exit 1 if any finding is at or above this severity (critical|high|medium|low) |
Examples:
# Scan a specific project
vibe-check scan /path/to/project
# Fast scan (skip LLM-based analyzers — no API key needed)
vibe-check scan . --mode fast
# JSON output for CI pipelines
vibe-check scan . --format json
# Fail CI if score is below 70
vibe-check scan . --exit-code --threshold 70
# Show only critical and high severity findings
vibe-check scan . --severity critical,high
# Block CI/push only if there are critical findings
vibe-check scan . --fail-on critical
vibe-check score
📊 Quick score — just the number and grade, no detailed findings.
vibe-check score [PATH] [OPTIONS]
| Argument / Option | Default | Description |
|---|---|---|
PATH |
. |
Path to the repository |
--exit-code, -e |
false |
Exit with code 1 if score is below threshold |
--threshold, -t |
60 |
Score threshold for --exit-code |
Example:
vibe-check score .
# Output: 82/100 B MOSTLY SAFE
vibe-check init
⚙️ Initialize a .vibecheck.yml config file and install a pre-push git hook.
vibe-check init
This creates:
.vibecheck.yml— Configuration file with default settings.git/hooks/pre-push— Git hook that runs a fast scan before every push
Global Options
| Option | Description |
|---|---|
--version, -v |
Show the installed version |
--help |
Show help for any command |
Configuration
API Keys
VibeCheck uses LLMs for compliance analysis and prompt injection detection. In fast mode, no API key is needed.
Local Development
Create a .env file in your project root:
# .env
GEMINI_API_KEY="your-api-key-here"
GitHub Actions
Pass the API key from your repository secrets:
- name: Run VibeCheck Scan
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: vibe-check scan . --exit-code
.vibecheck.yml
Customize scan behavior by adding a .vibecheck.yml to your project root:
# Scan mode: fast (no LLM) or full
mode: full
# Score threshold for --exit-code
threshold: 60
# Severity filter (empty = all)
severity_filter: []
# Directories to always skip (safety net for non-git repos)
exclude:
- node_modules/
- .venv/
- __pycache__/
# LLM settings
llm:
provider: gemini # gemini, openai, or anthropic
token_budget: 5000
Environment Variables
| Variable | Description |
|---|---|
GEMINI_API_KEY |
API key for Google Gemini |
VIBE_CHECK_API_KEY |
Override API key (any provider) |
VIBE_CHECK_PROVIDER |
Override LLM provider |
VIBE_CHECK_TOKEN_BUDGET |
Override token budget |
GitHub Actions
Full Workflow (scan + PR comment + score gate)
Create .github/workflows/vibecheck.yml:
name: VibeCheck PR Check
on:
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: write
jobs:
vibecheck:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install VibeCheck
run: pip install vibe-check-cli
- name: Run VibeCheck Scan
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: vibe-check scan . --format markdown > vibecheck-report.md
continue-on-error: true
- name: Post PR Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('vibecheck-report.md', 'utf8');
const body = report.length > 65000
? report.substring(0, 65000) + '\n\n... (truncated)'
: report;
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const existing = comments.find(c =>
c.body.includes('🔍 VibeCheck Report')
);
if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body: body,
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: body,
});
}
- name: Security Gate (Block on High+ Severity)
run: vibe-check scan . --mode fast --fail-on high
What this does:
- Runs a full scan on every PR to
main - Posts the report as a PR comment (updates existing comment on re-push)
- Fails the check if there are any High or Critical vulnerabilities
Minimal Workflow (score gate only)
name: VibeCheck
on: [pull_request]
jobs:
vibecheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install vibe-check-cli
- run: vibe-check scan . --mode fast --fail-on high
Setup
- Go to your repo → Settings → Secrets and variables → Actions
- Add
GEMINI_API_KEYas a repository secret - Copy either workflow to
.github/workflows/vibecheck.yml
What It Scans
| Analyzer | What it detects | Mode |
|---|---|---|
| 🔑 Secrets | Hard-coded API keys, tokens, passwords | fast, full |
| 🛡️ SAST | SQL injection, XSS, eval(), insecure CORS | fast, full |
| 📦 Dependencies | Known CVEs in pip/npm packages | fast, full |
| 🤖 Prompt Injection | Unsanitized user input → LLM calls | fast, full |
| 🔍 Hallucination | Phantom imports and non-existent packages | fast, full |
| 📋 Compliance | GDPR, SOC2, OWASP gaps | full |
| 💡 LLM Summarizer | AI-generated remediation for all findings | full |
File Exclusion
VibeCheck uses a two-layer strategy to skip irrelevant files:
- Git tracking — In git repos, only git-tracked files are scanned (automatically respects
.gitignore) - Hardcoded safety net —
node_modules,.venv,venv,env, and__pycache__are always skipped, even in non-git directories
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
vibe_check_cli-0.2.6.tar.gz
(71.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vibe_check_cli-0.2.6.tar.gz.
File metadata
- Download URL: vibe_check_cli-0.2.6.tar.gz
- Upload date:
- Size: 71.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1fdaac11d59ccac84b2c4d9d2c66491ebdf7bb50895a412387c93c2a186a9854
|
|
| MD5 |
9b27716b71f1b9a99aa3822543d5f069
|
|
| BLAKE2b-256 |
e607a1efae8ced37830f09d253c6730a1d77c1ff8318a132e47e1737a497e96e
|
File details
Details for the file vibe_check_cli-0.2.6-py3-none-any.whl.
File metadata
- Download URL: vibe_check_cli-0.2.6-py3-none-any.whl
- Upload date:
- Size: 74.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ebf41379c2c16fefdd4b6f5f60b8e5b83f5aa374999a217a364ad2236c5ef75f
|
|
| MD5 |
6fe51a374713db1c9d7ee546cd80db25
|
|
| BLAKE2b-256 |
7998c376f8162723fd676ae3e4ca632ef969c788bd2f1cc063298ce7b890f7e6
|
