Catches the security mistakes we all make when we code quickly
Zero dependencies β’ Instant setup β’ Works everywhere β’ 20 essential security rules
# macOS (Intel)
curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-macos-x64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .
# macOS (Apple Silicon)
curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-macos-arm64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .
# Linux (x64)
curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-linux-x64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .
# Linux (ARM64)
curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-linux-arm64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .
# Windows
# Download vibe-guard-windows-x64.exe from releases page# Homebrew (macOS/Linux) - Personal Tap
brew tap Devjosef/vibe-guard
brew install vibe-guard
# Chocolatey (Windows) - Ready for submission
# choco install vibe-guard
# RPM (RHEL/CentOS) - Ready for submission
# rpm -i https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard.rpm
# DEB (Ubuntu/Debian) - Ready for submission
# curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard.deb -o vibe-guard.deb
# sudo dpkg -i vibe-guard.deb# Pull the latest image
docker pull vibe-guard/vibe-guard:latest
# Scan current directory
docker run --rm -v $(pwd):/code vibe-guard/vibe-guard:latest scan /code
# Scan specific file
docker run --rm -v $(pwd):/code vibe-guard/vibe-guard:latest scan /code/app.js
# Use specific version
docker run --rm -v $(pwd):/code vibe-guard/vibe-guard:1.0.1 scan /code# Latest version (1.0.1)
npx vibe-guard scan .
# or
npm install -g vibe-guard
vibe-guard scan .- Zero Setup: Download and run, no Node.js or dependencies required
- Fast Enough to Not Be Annoying: Scans your entire project in seconds
- Won't Spam You: Smart enough to know test code from real issues
- Made by Developers: We know what actually breaks in production
- Works Everywhere: macOS, Linux, Windows, Docker, CI/CD - you name it
- ARM64 Support: Native support for Apple Silicon and ARM64 Linux
- Cross-Platform: Single binary for each platform, no dependencies
- Exposed Secrets: API keys, tokens, and credentials in your code
- Hardcoded Sensitive Data: Database passwords, JWT secrets, encryption keys
- XSS Detection: Cross-site scripting vulnerabilities in web applications
- Missing Authentication: Unprotected admin routes and API endpoints
- SQL Injection: String concatenation in database queries
- Directory Traversal: Unsafe file path operations
- Open CORS: Wildcard origins that let anyone access your API
- CSRF Protection: Missing CSRF tokens in forms and unsafe cookie configurations
- Insecure Deserialization: Unsafe JSON parsing and eval usage
- Broken Access Control: Missing authorization checks
- Insecure File Upload: Unsafe file handling and validation
- Insecure Session Management: Weak session secrets and insecure cookies
- Unvalidated Input: Direct use of user input without checks
- Insecure HTTP: Using HTTP instead of HTTPS
- Insecure Dependencies: Outdated packages with known security issues
- Missing Security Headers: No helmet.js or manual security headers
- Insecure Random Generation: Using Math.random() for security purposes
- Insecure Logging: Sensitive data exposure in logs
- Insecure Error Handling: Stack trace and information disclosure
- Insecure Configuration: Debug mode and security features disabled
VibeGuard is designed with intelligent sensitivity to balance detection accuracy with usability:
- Critical & High Severity: Very sensitive - catches real vulnerabilities
- Medium & Low Severity: Moderately sensitive - focuses on production-relevant issues
-
False Positive Prevention: Automatically filters out:
- Comments and documentation
- Test files and development code
- Environment variables (
${VAR},process.env.VAR) - Safe patterns (parameterized queries, HTTPS, etc.)
- Framework-specific safeguards
- Detection Rate: ~50-70% of potential issues (focused on real problems)
- False Positive Rate: Very low (designed for development workflows)
- Performance: Fast scanning without overwhelming noise
- Actionable Results: Every issue includes specific fix suggestions
- Development: Current settings are well-balanced for daily use
- Production Audits: Consider running with verbose mode and manual review
- Maximum Sensitivity: Can be configured by modifying rule filters
This approach ensures VibeGuard catches real security issues while remaining practical for development workflows.
# Scan current directory (most common)
vibe-guard scan .
# Scan specific file
vibe-guard scan app.js
# JSON output for CI/CD
vibe-guard scan . --format json
# Quick syntax (same as scan)
vibe-guard .
# Show version
vibe-guard --version- name: Security Scan
run: |
curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-linux-x64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .security_scan:
script:
- curl -L https://github.com/Devjosef/vibe-guard/releases/download/v1.0.1/vibe-guard-linux-x64 -o vibe-guard
- chmod +x vibe-guard
- ./vibe-guard scan .- name: Security Scan
run: docker run --rm -v $(pwd):/code vibe-guard/vibe-guard:1.0.1 scan /code- When you're coding with AI - ChatGPT and Copilot are amazing, but they sometimes miss security basics
- Rapid prototyping - Building something quick? Don't let security be an afterthought
- No-code/Low-code folks - Generated code can have issues, this catches them
- Your CI/CD pipeline - Catch problems before they hit production
- Code reviews - Run this before you submit that PR
- Learning security - Get real-time feedback on what can or is going wrong (and how to fix it)
Works with all the languages you actually use:
- JavaScript/TypeScript: .js, .jsx, .ts, .tsx
- Python: .py
- PHP: .php
- Ruby: .rb
- Go: .go
- Java: .java
- C#: .cs
- Config files: .json, .yaml, .yml, .env
Want to contribute or build from source?
# Clone and build
git clone https://github.com/Devjosef/vibe-guard.git
cd vibe-guard
npm install
npm run build
# Create binaries
npm run package
# Run tests
npm testsrc/
βββ types/ # TypeScript definitions
βββ rules/ # All 20 security rule implementations
βββ bin/ # CLI interface
βββ scanner.ts # File scanning engine
βββ reporter.ts # Output formatting
βββ index.ts # Main application
| Feature | Vibe-Guard | Other Tools |
|---|---|---|
| Setup Time | 0 seconds | Minutes |
| Dependencies | Zero | Many |
| False Positives | Minimal | High |
| Speed | β‘ Fast | π Slow |
| Languages | All major ones | Limited |
| CI/CD Ready | β Yes | |
| Actually explains fixes | β Yes | β Cryptic |
| ARM64 Support | β Yes | β Limited |
| Security Rules | 20 comprehensive rules | Varies |
- Add Security Rules: Extend the rule engine with new patterns
- Improve Detection: Help reduce false positives
- Add Languages: Support more file types and frameworks
- Better UX: Improve CLI and output formatting
See SECURITY_RULES.md for detailed rule documentation.
MIT License - Use it anywhere, anytime!
Built with β€οΈ by developers who got tired of slow, and complex security tools.
Security shouldn't slow you down, but security holes definitely will.