Security scanner for vibe-coded apps — catch what Copilot ships and Snyk overcharges for
Project description
VibeCheck
Security scanner for vibe-coded apps. Catch what Copilot ships and Snyk overcharges for.
pip install vibecheck-ai
vibecheck scan .
What it catches
- Hardcoded secrets — AWS keys, API tokens, database URLs, private keys (16 patterns)
- SQL injection — f-strings and string concatenation in execute() calls
- Command injection — eval(), exec(), os.system(), subprocess with shell=True
- XSS vectors — dangerouslySetInnerHTML, document.write(), eval() in JS
- Missing auth — FastAPI/Express routes without authentication middleware
- Insecure config — DEBUG=True, CORS wildcard, insecure cookies
- Exposed .env — real secrets in .env files, missing .gitignore entries
Usage
# Scan current directory
vibecheck scan .
# Scan specific path
vibecheck scan ./src
# JSON output (for CI/CD)
vibecheck scan . --format json
# Only show critical and high
vibecheck scan . --severity high
# Quiet mode (summary only)
vibecheck scan . --quiet
Exit codes
0— No critical or high findings1— Critical or high findings detected2— Scanner error
Supported languages
- Python (.py)
- JavaScript (.js, .jsx)
- TypeScript (.ts, .tsx)
- Environment files (.env)
- Config files (.json, .yaml, .toml)
Ignore patterns
Create a .vibeignore file in your project root:
# Skip test fixtures
tests/fixtures/*
# Skip generated code
generated/*
GitHub Action
Add to .github/workflows/vibecheck.yml:
name: VibeCheck
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install vibecheck-ai
- run: vibecheck scan .
For GitHub Code Scanning integration (findings appear inline on PRs):
- run: vibecheck scan . --format sarif > vibecheck.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibecheck.sarif
Why VibeCheck?
53% of teams that shipped AI-generated code discovered security issues that passed review. The vibe coding era needs a security scanner that's:
- Fast — scans in milliseconds, not minutes
- Offline — no API calls, no code leaving your machine
- Free — open source, zero dependencies
- Focused — catches real issues, not style nits
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vibecheck_ai-0.2.0.tar.gz.
File metadata
- Download URL: vibecheck_ai-0.2.0.tar.gz
- Upload date:
- Size: 13.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7a414c9b8b70550b1dcb34ae5ed0887045096827750fd01f6d253f3711549c49
|
|
| MD5 |
889612b885241a44f57dfad1ad9e6722
|
|
| BLAKE2b-256 |
15e397fb5e8072596d13d49b1877fbd1bb21f4e9a372f3470d3dc0a59a436968
|
File details
Details for the file vibecheck_ai-0.2.0-py3-none-any.whl.
File metadata
- Download URL: vibecheck_ai-0.2.0-py3-none-any.whl
- Upload date:
- Size: 20.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c42e07252e82f1935a43be8d4a1a4ff90aa2a102d1a6c4a82937393cce8df373
|
|
| MD5 |
45a928e0923878d123c66d07694cff6e
|
|
| BLAKE2b-256 |
8160c4a708d318ee40545fb6e3f6c9b926c611e036638996c7b387e3423bd989
|
