Security scanner for AI-generated (vibe-coded) code

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tanishaKush from gravatar.com tanishaKush

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Tanisha Kushwah
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

VibeScan

Security scanner for AI-generated (vibe-coded) code

License: MIT Python 3.9+ GitHub Actions

The Problem

AI coding tools (Cursor, Claude, Copilot) generate code fast — but 45% of it has security vulnerabilities (Veracode 2025). Existing scanners (GitLeaks, TruffleHog) scan for secrets only. They miss what VibeScan catches.

Architecture

Structure

Features

Feature Status
14 secret patterns (AWS, OpenAI, GitHub, Stripe, JWT, DB URLs…)
Shannon entropy detection (unknown tokens)
22 AI-specific vulnerability patterns
Live secret validation (GitHub + OpenAI tokens)
Auto-fix suggestions with safe code snippets
Git hooks (block push on CRITICAL)
GitHub Actions PR bot
HTML report + Security dashboard (0–100 score, A–F grade)
Config file with allowlist & baseline
Zero cost · Works offline · MIT license

Quick Start

# Install — one time
pip install vibescan-ai

# Scan any project
vibescan scan .

# Save HTML report
vibescan scan . -o report.html

Output: File | Line | Issue | Risk | Match in a colorful Rich table.

📸 Screenshots

Feature Image
Terminal Output
HTML Report
Security Dashboard

Demo

VibeScan v1 Demo | VibeScan v2 Demo

Usage

# Scan current folder
vibescan scan .

# Scan specific folder
vibescan scan path/to/your/project

# HTML report
vibescan scan . -o report.html

# Security dashboard (0-100 score + A-F grade)
vibescan scan . -d dashboard.html

# JSON export (CI/CD integration)
vibescan scan . -j results.json

# Fast scan — secrets only, skip AI patterns
vibescan scan . --no-vibe

# Fail on critical (exit code 1 for CI/CD)
vibescan scan . --fail-on-critical

# Verify if detected secrets are live or revoked
vibescan scan . --validate

Detected Issues

Secrets

AWS Access Key · AWS Secret Key · OpenAI API Key · GitHub Token / OAuth / PAT · Google API Key · JWT Token · Database URL (PostgreSQL / MongoDB / MySQL / Redis) · Generic API Key · Generic Password · Private Key · Stripe Secret / Test Key · Slack Token · Hardcoded .env values

AI-Specific Vulnerabilities

Prompt injection · Unvalidated LLM input · Password / token logged · subprocess with shell=True · os.system() · Path traversal · .env served in route · Hardcoded admin credentials · Weak random module · yaml.load() · pickle.loads() · Missing rate limit on auth · Unvalidated file upload · Missing auth check · SQL injection via f-strings · Debug mode in production · CORS wildcard · Direct .env read · eval() usage

Why VibeScan Over GitLeaks?

Feature GitLeaks VibeScan
Secret detection
Entropy analysis
AI-specific patterns
Missing auth detection
SQL injection check
Auto-fix suggestions
GitHub Actions / PR bot
Security dashboard
Cost Free Free

Tech Stack

Python · Click · Rich · Jinja2 · Regex · Shannon Entropy · GitHub Actions

Installation (from source)

git clone https://github.com/tanikush/vibescan.git
cd vibescan
pip install -r requirements.txt
pip install -e .

Contributing

Pull requests are welcome. For major changes, open an issue first to discuss what you would like to change.

  1. Fork it
  2. Create your feature branch (git checkout -b feature/my-change)
  3. Commit your changes (git commit -m 'Add: my new feature')
  4. Push the branch (git push origin feature/my-change)
  5. Open a Pull Request

License

MIT — see LICENSE for details. Free forever. No license fees. No cloud lock-in.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tanishaKush from gravatar.com tanishaKush

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Tanisha Kushwah
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vibescan_ai-1.0.0.tar.gz (3.4 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vibescan_ai-1.0.0-py3-none-any.whl (3.9 MB view details)

Uploaded Python 3

File details

Details for the file vibescan_ai-1.0.0.tar.gz.

File metadata

  • Download URL: vibescan_ai-1.0.0.tar.gz
  • Upload date:
  • Size: 3.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.9

File hashes

Hashes for vibescan_ai-1.0.0.tar.gz
Algorithm Hash digest
SHA256 00c35a8708d6e3cf8c5ea99d802c4dcdf89685046bf5359318f0dbd8c9a82a87
MD5 45343002416ec3bdba02e7e88eceb0f0
BLAKE2b-256 160504485b9ad4a721bcdadb55ff7d30ea952f1d59bada3f078825480d1a96c0

See more details on using hashes here.

File details

Details for the file vibescan_ai-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: vibescan_ai-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 3.9 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.9

File hashes

Hashes for vibescan_ai-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1bb8915fc9d09088d8cab71a4818328a2668be06e3866fa52d5550ca9211bd97
MD5 4d4d772c64738a9049e7ae610db0b269
BLAKE2b-256 1bfd830cb654ac42b52b0812ee297bb20e06614ee526ac8b010db710fcfe4182

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page