VibSec — short for Vibe Security — is a security guardrail for AI-assisted coding. It's a CLI + macOS menu bar app that catches the things AI agents get wrong: leaked secrets, exposed ports, typosquatted packages, unsafe eval patterns, and more. Built by CraftyPixels and maps to OWASP LLM Top 10 + ASVS 5.0. Runs 100% locally with zero config. Learn more about VibSec.

Vibe coding means using AI agents (Claude Code, Cursor, Copilot, Aider) to generate most of your code by describing what you want in natural language. It's incredibly productive — but the AI doesn't think about security the way you do. It hardcodes API keys, installs unverified packages, opens ports to the internet, and introduces injection vulnerabilities. VibSec catches exactly these patterns.

No. VibSec runs 100% locally. Your code, secrets, and audit logs never leave your machine. There are no external API calls, telemetry, or cloud dependencies. The online domain scanner on our website runs via Cloudflare Workers — it only analyzes public HTTP headers and never sees your source code.

VibSec works with any CLI-based agent — Claude Code, Cursor, Aider, Copilot, Windsurf, or custom agents. Run vibsec scan before and after sessions to catch issues. Use vibsec scan --fix to get a prompt you can paste directly to your agent to fix everything.

Over 30 checks across 8 categories: Hardcoded secrets (API keys, tokens, passwords), Supply chain risks (typosquatted packages, unpinned deps, curl|bash), Unsafe code (eval, exec, SQL injection, XSS, deserialization), Exposed ports (databases and services on 0.0.0.0), Injection patterns (unsanitized user input in queries and commands), Prompt leakage (system prompts in public code), Config issues (permissive CORS, misconfigured Docker), and Cookie/session security. Every check maps to an OWASP standard. See the full list of checks.

Yes — that's the whole point. VibSec groups findings by severity (critical, high, medium, low) and tells you exactly what's wrong and how to fix it in plain English. Run vibsec scan --fix to get a ready-to-paste prompt for your AI agent that fixes every issue. You don't need to understand the security details — your AI agent will.

VibSec maps its checks to both the OWASP Top 10 for LLM Applications (2025) and the OWASP ASVS 5.0 standard. It covers 8 of 10 LLM risks and 30+ ASVS checks across injection prevention, access control, validation, cryptography, API security, data poisoning, supply chain integrity, and more.

The CLI tool (vibsec scan) scans your local source code for hardcoded secrets, unsafe patterns, and supply chain risks. It's 100% offline and sees your actual code. The online repo scanner analyzes any public GitHub repo. The online domain scanner checks a website's HTTP security headers, exposed files, open ports, and SSL/TLS configuration — it only sees public-facing information.

Yes. Run vibsec policy init to generate a policy file, then customize blocked commands, allowed paths, and severity thresholds for your project. You can whitelist known false positives and set which severity levels should fail your CI pipeline.

One command: curl -fsSL https://vibsec.com/install.sh | bash. Requires Node.js 18+. Installs globally so you can use it from any project directory. The macOS menu bar app is included in the download. See the full installation guide.

Yes. VibSec is free. All 30+ security checks, the CLI, the menu bar app, and the online scanners are free to use.

Yes. Run vibsec scan --fix and VibSec generates a prompt grouped by file with all the findings and fix instructions. Copy the prompt and paste it into Claude Code, Cursor, or any AI agent — it will fix every issue in your codebase automatically.