Vibe-Guard: Developer-First Security Scanner

CLI-first security scanner for local dev and CI/CD that detects exposed secrets, risky configs, and common vulnerabilities with low noise, zero dependencies, and cross-platform binaries.
Tech Stack: TypeScript Node.js CLI Security Static Analysis CI/CD GitHub Actions

Summary

Vibe-Guard is a CLI-first security scanner built to fit naturally into developer workflows. It scans repositories for exposed secrets, insecure configurations, and common vulnerabilities locally and in CI/CD, producing actionable, low-noise reports with minimal setup.

Highlights

  • ~25 essential security rules focused on real issues
  • Zero dependencies; instant setup
  • Cross-platform binaries (macOS, Linux, Windows)
  • Fast startup (~41ms) and small file scans (~51ms)
  • Clear reports with file locations and remediation steps

Challenges Addressed

  • Security checks skipped under delivery pressure
  • Tools that don’t fit existing dev/CI workflows
  • High false-positive rates that erode trust
  • Needing multiple tools for basic coverage

Capabilities

  • Detects exposed secrets and common risks: auth gaps, open CORS, SQL injection, directory traversal, insecure deps, missing headers, XSS, CSRF, insecure logging/randomness, session issues
  • AI-aware rules: prompt injection, AI data leakage, AI-generated code validation, MCP server hardening
  • Clean, intuitive CLI with configurable rules and detailed reports
  • Minimal setup; ready-to-use CI templates (e.g., GitHub Actions)

Technical Notes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Core scanning architecture
class SecurityScanner {
  constructor(
    private readonly ruleEngine: RuleEngine,
    private readonly reporter: VulnerabilityReporter,
    private readonly cacheService: CacheService
  ) {}

  async scan(target: string): Promise<void> {
    const findings = await this.ruleEngine.evaluate(target);
    await this.cacheService.persist(findings);
    await this.reporter.emit(findings);
  }
}
  • Rules organized by domain (OWASP coverage + secrets + AI safety)
  • Single-responsibility modules: scanner, rules, reporter, config
  • Supports deterministic output for CI and developer-friendly output locally

Role & Contributions

  • Designed the scanning architecture and rule engine
  • Implemented CLI, reporters, caching, and CI integration
  • Authored baseline rule sets and documentation

Outcomes

  • Faster, more consistent security assessments across teams
  • Lower false-positive rate via tunable, focused rules
  • Thousands of daily scans via CI pipelines
  • High availability and speed supported by caching

Docs & Downloads

security sast devops automation code-quality vulnerability-scanning owasp secrets ai-safety