Skip to main content

Security auditor for AI-generated (vibecoded) apps — auth, sessions, tokens, secrets

Project description

🛡️ VibeCheck Security Auditor

Auth-focused security scanner for AI-generated ("vibecoded") apps.

Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck is the fire extinguisher.

vibecheck scan ./my-app

score python

Why this exists

LLMs generate sketchy auth by default:

Vibecode classic What breaks
SECRET_KEY = "secret" Session/JWT forgery
jwt.decode(..., verify=False) Identity spoofing
password == user.password Credential dump on breach
localStorage.setItem("token", …) XSS → full account takeover
Access-Control-Allow-Origin: * Cross-site API abuse
SKIP_2FA = True MFA theater
Hardcoded sk-… / sk_live_… Instant key theft from GitHub

Non-technical founders don't know what they don't know. Point at the exposed keys, take the check.

Quick start

Install (packaged)

# From a built wheel / sdist (local)
pip install dist/vibecheck_security-*.whl

# From git (tagged beta)
pip install "git+https://github.com/gardnerscot/vibecheck.git@v0.1.0"

# From GitHub release wheel
# pip install https://github.com/gardnerscot/vibecheck/releases/download/v0.1.0/vibecheck_security-0.1.0-py3-none-any.whl

# From PyPI (when published)
# pip install vibecheck-security

Develop from source

cd vibecheck
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

# Scan the intentional dumpster fire
vibecheck scan fixtures/vulnerable_app

# JSON + Markdown reports
vibecheck scan fixtures/vulnerable_app -j reports/out.json -m reports/out.md

# CI gate: fail if score < 70 or any critical/high
vibecheck scan ./src --fail-under 70 --fail-on high

# List rules
vibecheck rules

# Web UI
vibecheck serve
# → http://127.0.0.1:8742

Optional local LLM enrichment (M-series friendly)

# Ollama running with a code model
ollama pull qwen2.5-coder:7b

vibecheck scan ./my-app --llm --llm-model qwen2.5-coder:7b

Static rules always run. LLM review is additive on auth-related files only.

What it scans

Rule packs (30+ heuristics):

  • secrets — API keys, AWS, Stripe, PEM keys, weak SECRET_KEY
  • authentication — plaintext passwords, MD5, auth bypass, SQLi in login, default admin
  • session — cookie flags, localStorage tokens, fixation hints
  • tokens — JWT verify off, alg none, predictable reset tokens, tokens in URLs
  • mfa_2fa — hardcoded TOTP, static OTP, bypass flags
  • cors_csrf*, origin reflection, CSRF disabled
  • cryptography — TLS verify off, HTTP auth URLs, weak RNG, debug mode

Each finding includes severity, CWE (when mapped), confidence, and a concrete fix.

Score

Starts at 100. Weighted deductions by severity × confidence:

Severity Weight
critical 25
high 15
medium 8
low 3

Grade bands: A ≥90 · B ≥80 · C ≥70 · D ≥55 · F <55.

Project layout

vibecheck/
  vibecheck/          # core library + CLI
    rules/            # heuristic packs
    scanner.py
    llm.py            # optional Ollama
    report.py
  web/                # FastAPI UI
  fixtures/           # vulnerable + clean demos
  tests/

Monetization (product sketch)

Tier Price What
CLI free $0 Local static scan
Single scan $9.99 Upload + hosted report
Pro subscription Monitoring, PR checks, history

MVP ships freemium-ready: local CLI free forever; web upload is the paid surface later (Stripe not wired yet).

Packaging & release

Channel Who it's for Command
Editable (dev) You, day to day pip install -e ".[dev]"
Wheel / sdist Friends, CI, TestPyPI make builddist/
PyPI Public pip install make publish-test then make publish
Docker Hosted UI / demos make docker && make docker-run
Git Early adopters pip install git+https://…
# Build installable artifacts
make build
# → dist/vibecheck_security-0.1.0-py3-none-any.whl
# → dist/vibecheck_security-0.1.0.tar.gz

# Smoke-test the wheel in a clean venv
python3 -m venv /tmp/vc-test && source /tmp/vc-test/bin/activate
pip install dist/vibecheck_security-*.whl
vibecheck scan /path/to/app
vibecheck serve

# Publish (needs PyPI token in ~/.pypirc or TWINE_USERNAME/PASSWORD)
make publish-test   # TestPyPI first
make publish        # real PyPI

Naming: PyPI distribution is vibecheck-security; the import and CLI stay vibecheck / vibecheck.

What's in the wheel: library + CLI + web templates/static. Fixtures stay in the repo only (demo data, not shipped).

Docker

docker build -t vibecheck .
docker run --rm -p 8742:8742 vibecheck
# Scan a mounted project:
docker run --rm -v "$PWD:/scan:ro" vibecheck scan /scan

Later (non-Python founders)

  • Standalone binary: pyinstaller / uv tool once CLI is stable
  • Homebrew: formula wrapping the wheel
  • GitHub Action: vibecheck scan . --fail-on high in CI

Development

pip install -e ".[dev]"
pytest -q
make scan    # self-scan + fixture dumpster fire
make build

Disclaimer

VibeCheck is a static heuristic scanner, not a pentest or compliance certification. Findings are leads. Always verify before you panic — or before you invoice.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vibecheck_security-0.1.0.tar.gz (41.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vibecheck_security-0.1.0-py3-none-any.whl (46.7 kB view details)

Uploaded Python 3

File details

Details for the file vibecheck_security-0.1.0.tar.gz.

File metadata

  • Download URL: vibecheck_security-0.1.0.tar.gz
  • Upload date:
  • Size: 41.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for vibecheck_security-0.1.0.tar.gz
Algorithm Hash digest
SHA256 ca2ccf93d6a68923b282ed9aa31fbbe0e6743096e507aa27d78363dda67c2b09
MD5 959c312fcd46442e662681f997196fc0
BLAKE2b-256 7d2015a3316e143823ccf80c4e962eb9d1cf66ae254e77aec82d2d3ceed0cd46

See more details on using hashes here.

File details

Details for the file vibecheck_security-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for vibecheck_security-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d88de2ca4b16c54f159c7814eb47a601a082166d17d7e415b288b18e54e85c67
MD5 e405e4d02ab5634aa64e07b38af78a6d
BLAKE2b-256 eb0d4639b64c52d1b3540a3fdf86a9881c3ffbaaf3fe786fcbe38c380f153ccb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page