Ship fast with AI. Don't ship vulnerabilities.
Production-grade apps are being shipped at prototype speed โ with leaky secrets, weak auth, and unsafe agent configs. VibSec is the preflight scanner and runtime guardrail that catches what AI agents miss, so you get velocity without catastrophic downside.
What goes wrong when AI writes your code unchecked
AI agents optimise for working code, not safe code. They leak secrets, expose databases, install typosquatted packages, and grant broad permissions โ all at prototype speed. VibSec catches every one of these before it reaches production.
"My agent committed my Stripe key"
AI autocomplete loves hardcoding secrets into config files. VibSec catches API keys, .env files, and private keys before they hit git.
"My MySQL was open to the internet"
Agents spin up dev servers on 0.0.0.0 and forget about it. VibSec monitors ports and flags databases, Redis, and services exposed to all interfaces.
"It installed \"axois\" instead of axios"
Typosquatted packages are real supply chain attacks. VibSec flags 30+ known package impostors in your package.json and requirements.txt.
"It rm -rf'd my entire project"
One bad command and everything is gone. Use git commits before AI sessions and run vibsec scan after to catch what went wrong.
"eval(userInput) in production"
AI agents generate code with eval(), innerHTML, and SQL concatenation without thinking twice. VibSec flags every injection vector.
"Docker socket mounted in compose.yml"
Agents copy Docker configs from StackOverflow that mount /var/run/docker.sock. That gives containers full host access. VibSec catches it.
Your security seatbelt, automated
A preflight scanner that runs on every commit and deploy โ catching secrets, exposed services, risky deps, and unsafe agent configs. CLI + menu bar app, 50+ OWASP checks.
Know exactly what's wrong before you ship
One command. 50+ OWASP checks. Finds the hardcoded secrets, eval patterns, and supply chain risks your AI agent introduced — grouped by severity so you fix what matters first.
Explore scannerFull visibility into every scan
Every scan is logged to a local JSONL audit trail with the directory path, severity counts, and timestamp. Browse it in the menu bar app or inspect the file directly.
Explore audit trailTell your agent exactly what to fix
Run vibsec scan --fix and get a copy-paste prompt grouped by file. Hand it to Claude, Cursor, or any AI agent and watch it fix every finding.
Don't expose your database to the internet
AI agents spin up dev servers, databases, and caches on 0.0.0.0 without a second thought. VibSec's port monitor catches services exposed to all network interfaces.
docker-compose up and the DB is reachable from any IPSecurity dashboard, always one click away
Click the shield icon in your menu bar to scan projects, monitor exposed ports, and browse your audit log — without opening a terminal. Everything the CLI does, in a native macOS interface.
Everything an AI agent shouldn't do, caught.
10 checks that run in seconds. Zero config. Works on any project.
Secret Detection
Scans for API keys, tokens, private keys, and .env files. Flags exposed ~/.ssh paths and keychains.
AI Agent Fix Mode
Run vibsec scan --fix to get a copy-paste prompt grouped by file. Hand it to your AI agent to fix every finding.
Supply Chain
Detects curl | bash patterns, missing lockfiles, unpinned dependencies, and typosquatted packages.
Output Validation
Catches unsafe patterns where model output flows to eval, exec, SQL, or template injection.
Data Poisoning
Scans training data and RAG files for prompt injection markers and chat template manipulation.
Budget Enforcement
Detects when agent sessions exceed tool call limits. Rate limiting and per-session caps from your policy.
CI Integration
Add vibsec scan to your CI pipeline. Exit code 1 on critical/high findings โ catch issues before they merge.
Audit Log
JSONL trail of every scan result and finding. Full visibility.
Port Monitoring
Catches MySQL, Redis, Mongo, and dev servers exposed on 0.0.0.0. Don't let your agent expose your DB to the internet.
Menu Bar App
macOS tray app with live scanning, port monitoring, and audit log โ always one click away.
Scan now, no install needed
Run a quick security check right from your browser. Scan a public GitHub repo for vulnerabilities, or check a website for misconfigurations.
Scan a Repository
Paste a public GitHub URL. We run 30+ OWASP checks against the source code — secrets, injection, supply chain risks, and more.
Scan a Domain
Enter a domain to check security headers, exposed files, SSL/TLS, and open ports. Find misconfigurations before attackers do.
Two commands. You're covered.
No config files. No setup. Just scan and ship.
vibsec scan Scan Your Repo
Finds secrets, unsafe patterns, supply chain risks, and OWASP LLM + ASVS 5.0 vulnerabilities in seconds.
vibsec scan --fix Tell Your Agent What to Fix
Generates a copy-paste prompt grouped by file. Hand it to Claude, Cursor, or any AI agent and watch it fix everything.
๐ก๏ธ Menu Bar Click the Shield Icon
Same scan, same checks โ from the macOS menu bar. Monitor ports and browse audit logs without opening a terminal.
Comprehensive coverage.
VibSec maps to both the OWASP Top 10 for LLM Applications and the ASVS 5.0 standard — covering the risks that actually hit developers.
ASVS 5.0 Checks
FAQ
Can't find your answer here? Get in touch.
VibSec โ short for Vibe Security โ is a security guardrail for AI-assisted coding. It's a CLI + macOS menu bar app that catches the things AI agents get wrong: leaked secrets, exposed ports, typosquatted packages, unsafe eval patterns, and more. Built by CraftyPixels and maps to OWASP LLM Top 10 + ASVS 5.0. Runs 100% locally with zero config. Learn more about VibSec.
Vibe coding means using AI agents (Claude Code, Cursor, Copilot, Aider) to generate most of your code by describing what you want in natural language. It's incredibly productive โ but the AI doesn't think about security the way you do. It hardcodes API keys, installs unverified packages, opens ports to the internet, and introduces injection vulnerabilities. VibSec catches exactly these patterns.
No. VibSec runs 100% locally. Your code, secrets, and audit logs never leave your machine. There are no external API calls, telemetry, or cloud dependencies. The online domain scanner on our website runs via Cloudflare Workers โ it only analyzes public HTTP headers and never sees your source code.
VibSec works with any CLI-based agent โ Claude Code, Cursor, Aider, Copilot, Windsurf, or custom agents. Run vibsec scan before and after sessions to catch issues. Use vibsec scan --fix to get a prompt you can paste directly to your agent to fix everything.
Over 30 checks across 8 categories: Hardcoded secrets (API keys, tokens, passwords), Supply chain risks (typosquatted packages, unpinned deps, curl|bash), Unsafe code (eval, exec, SQL injection, XSS, deserialization), Exposed ports (databases and services on 0.0.0.0), Injection patterns (unsanitized user input in queries and commands), Prompt leakage (system prompts in public code), Config issues (permissive CORS, misconfigured Docker), and Cookie/session security. Every check maps to an OWASP standard. See the full list of checks.
Yes โ that's the whole point. VibSec groups findings by severity (critical, high, medium, low) and tells you exactly what's wrong and how to fix it in plain English. Run vibsec scan --fix to get a ready-to-paste prompt for your AI agent that fixes every issue. You don't need to understand the security details โ your AI agent will.
VibSec maps its checks to both the OWASP Top 10 for LLM Applications (2025) and the OWASP ASVS 5.0 standard. It covers 8 of 10 LLM risks and 30+ ASVS checks across injection prevention, access control, validation, cryptography, API security, data poisoning, supply chain integrity, and more.
The CLI tool (vibsec scan) scans your local source code for hardcoded secrets, unsafe patterns, and supply chain risks. It's 100% offline and sees your actual code. The online repo scanner analyzes any public GitHub repo. The online domain scanner checks a website's HTTP security headers, exposed files, open ports, and SSL/TLS configuration โ it only sees public-facing information.
Yes. Run vibsec policy init to generate a policy file, then customize blocked commands, allowed paths, and severity thresholds for your project. You can whitelist known false positives and set which severity levels should fail your CI pipeline.
One command: curl -fsSL https://vibsec.com/install.sh | bash. Requires Node.js 18+. Installs globally so you can use it from any project directory. The macOS menu bar app is included in the download. See the full installation guide.
Yes. VibSec is free. All 30+ security checks, the CLI, the menu bar app, and the online scanners are free to use.
Yes. Run vibsec scan --fix and VibSec generates a prompt grouped by file with all the findings and fix instructions. Copy the prompt and paste it into Claude Code, Cursor, or any AI agent โ it will fix every issue in your codebase automatically.
One command. Zero config.
Installs both the CLI and the macOS menu bar app. Requires Node.js 18+.
curl -fsSL https://vibsec.com/install.sh | bash Run the command above. Installs the CLI globally and places VibSec.app in /Applications.
Run vibsec scan in any project to find vulnerabilities.
Run vibsec scan --fix to get a copy-paste prompt that tells your AI agent exactly what to fix.
Velocity without catastrophic downside.
VibSec is the security seatbelt for AI-assisted development. Install in under a minute and ship at full speed knowing nothing critical slips through.
Free to use. Read the FAQ.