Security auditor for AI-generated (vibecoded) apps — auth, sessions, tokens, secrets
Project description
🛡️ VibeCheck Security Auditor
Auth-focused security scanner for AI-generated ("vibecoded") apps.
Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck is the fire extinguisher.
vibecheck scan ./my-app
Why this exists
LLMs generate sketchy auth by default:
| Vibecode classic | What breaks |
|---|---|
SECRET_KEY = "secret" |
Session/JWT forgery |
jwt.decode(..., verify=False) |
Identity spoofing |
password == user.password |
Credential dump on breach |
localStorage.setItem("token", …) |
XSS → full account takeover |
Access-Control-Allow-Origin: * |
Cross-site API abuse |
SKIP_2FA = True |
MFA theater |
Hardcoded sk-… / sk_live_… |
Instant key theft from GitHub |
Non-technical founders don't know what they don't know. Point at the exposed keys, take the check.
Quick start
Install (packaged)
# From a built wheel / sdist (local)
pip install dist/vibecheck_security-*.whl
# From git (tagged beta)
pip install "git+https://github.com/gardnerscot/vibecheck.git@v0.1.0"
# From GitHub release wheel
# pip install https://github.com/gardnerscot/vibecheck/releases/download/v0.1.0/vibecheck_security-0.1.0-py3-none-any.whl
# From PyPI (when published)
# pip install vibecheck-security
Develop from source
cd vibecheck
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
# Scan the intentional dumpster fire
vibecheck scan fixtures/vulnerable_app
# JSON + Markdown reports
vibecheck scan fixtures/vulnerable_app -j reports/out.json -m reports/out.md
# CI gate: fail if score < 70 or any critical/high
vibecheck scan ./src --fail-under 70 --fail-on high
# List rules
vibecheck rules
# Web UI
vibecheck serve
# → http://127.0.0.1:8742
Optional local LLM enrichment (M-series friendly)
# Ollama running with a code model
ollama pull qwen2.5-coder:7b
vibecheck scan ./my-app --llm --llm-model qwen2.5-coder:7b
Static rules always run. LLM review is additive on auth-related files only.
What it scans
Rule packs (30+ heuristics):
- secrets — API keys, AWS, Stripe, PEM keys, weak
SECRET_KEY - authentication — plaintext passwords, MD5, auth bypass, SQLi in login, default admin
- session — cookie flags, localStorage tokens, fixation hints
- tokens — JWT verify off, alg none, predictable reset tokens, tokens in URLs
- mfa_2fa — hardcoded TOTP, static OTP, bypass flags
- cors_csrf —
*, origin reflection, CSRF disabled - cryptography — TLS verify off, HTTP auth URLs, weak RNG, debug mode
Each finding includes severity, CWE (when mapped), confidence, and a concrete fix.
Score
Starts at 100. Weighted deductions by severity × confidence:
| Severity | Weight |
|---|---|
| critical | 25 |
| high | 15 |
| medium | 8 |
| low | 3 |
Grade bands: A ≥90 · B ≥80 · C ≥70 · D ≥55 · F <55.
Project layout
vibecheck/
vibecheck/ # core library + CLI
rules/ # heuristic packs
scanner.py
llm.py # optional Ollama
report.py
web/ # FastAPI UI
fixtures/ # vulnerable + clean demos
tests/
Monetization (product sketch)
| Tier | Price | What |
|---|---|---|
| CLI free | $0 | Local static scan |
| Single scan | $9.99 | Upload + hosted report |
| Pro | subscription | Monitoring, PR checks, history |
MVP ships freemium-ready: local CLI free forever; web upload is the paid surface later (Stripe not wired yet).
Packaging & release
| Channel | Who it's for | Command |
|---|---|---|
| Editable (dev) | You, day to day | pip install -e ".[dev]" |
| Wheel / sdist | Friends, CI, TestPyPI | make build → dist/ |
| PyPI | Public pip install |
make publish-test then make publish |
| Docker | Hosted UI / demos | make docker && make docker-run |
| Git | Early adopters | pip install git+https://… |
# Build installable artifacts
make build
# → dist/vibecheck_security-0.1.0-py3-none-any.whl
# → dist/vibecheck_security-0.1.0.tar.gz
# Smoke-test the wheel in a clean venv
python3 -m venv /tmp/vc-test && source /tmp/vc-test/bin/activate
pip install dist/vibecheck_security-*.whl
vibecheck scan /path/to/app
vibecheck serve
# Publish (needs PyPI token in ~/.pypirc or TWINE_USERNAME/PASSWORD)
make publish-test # TestPyPI first
make publish # real PyPI
Naming: PyPI distribution is vibecheck-security; the import and CLI stay vibecheck / vibecheck.
What's in the wheel: library + CLI + web templates/static. Fixtures stay in the repo only (demo data, not shipped).
Docker
docker build -t vibecheck .
docker run --rm -p 8742:8742 vibecheck
# Scan a mounted project:
docker run --rm -v "$PWD:/scan:ro" vibecheck scan /scan
Later (non-Python founders)
- Standalone binary:
pyinstaller/uv toolonce CLI is stable - Homebrew: formula wrapping the wheel
- GitHub Action:
vibecheck scan . --fail-on highin CI
Development
pip install -e ".[dev]"
pytest -q
make scan # self-scan + fixture dumpster fire
make build
Disclaimer
VibeCheck is a static heuristic scanner, not a pentest or compliance certification. Findings are leads. Always verify before you panic — or before you invoice.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vibecheck_security-0.1.0.tar.gz.
File metadata
- Download URL: vibecheck_security-0.1.0.tar.gz
- Upload date:
- Size: 41.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ca2ccf93d6a68923b282ed9aa31fbbe0e6743096e507aa27d78363dda67c2b09
|
|
| MD5 |
959c312fcd46442e662681f997196fc0
|
|
| BLAKE2b-256 |
7d2015a3316e143823ccf80c4e962eb9d1cf66ae254e77aec82d2d3ceed0cd46
|
File details
Details for the file vibecheck_security-0.1.0-py3-none-any.whl.
File metadata
- Download URL: vibecheck_security-0.1.0-py3-none-any.whl
- Upload date:
- Size: 46.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d88de2ca4b16c54f159c7814eb47a601a082166d17d7e415b288b18e54e85c67
|
|
| MD5 |
e405e4d02ab5634aa64e07b38af78a6d
|
|
| BLAKE2b-256 |
eb0d4639b64c52d1b3540a3fdf86a9881c3ffbaaf3fe786fcbe38c380f153ccb
|