← All Use Cases All developers

Before You Commit

Your AI agent just generated 200 lines of code. It looks right, it runs, and you’re about to git commit. But hiding in those 200 lines could be a hardcoded Stripe key, an eval() with user input, or a typosquatted dependency. Once it hits git history, it’s there forever.

vibsec scan

What you’ll catch

  • API keys hardcoded in config files (Stripe, AWS, OpenAI, database passwords)
  • .env files about to be committed with production credentials
  • eval() with untrusted input — remote code execution waiting to happen
  • Typosquatted packages in your dependencies (axois instead of axios)
  • Unsafe Docker configurations running as root with host mounts
  • SQL injection via string concatenation in database queries
  • Missing .gitignore entries for sensitive files

Why this matters

Secrets committed to git are permanent. Even if you remove them in the next commit, they’re still in the repo history. Attackers and bots scan public repos within minutes of new commits. A single hardcoded API key can lead to thousands of dollars in unauthorized charges.

Make it automatic

Add VibSec to your pre-commit hook so you never forget:

# .git/hooks/pre-commit
#!/bin/sh
vibsec scan --severity critical

If any critical issues are found, the commit is blocked and you’ll see exactly what needs fixing.

Quick fix workflow

# Step 1: Scan
vibsec scan

# Step 2: Get fix prompt
vibsec scan --fix

# Step 3: Paste the prompt into your AI agent
# Step 4: Agent fixes everything
# Step 5: Commit with confidence
git commit -m "feat: new feature (security-verified)"

Related: Before & After AI Sessions · Building a SaaS with AI · Install VibSec

Feedback