← All Use Cases All developers

Scanning Public Repos & Domains

Not everything you need to check is on your local machine. VibSec’s online scanners let you analyze any public GitHub repository or website without installing anything.

Repo Scanner

Go to vibsec.com/scan/repo and paste a GitHub URL. VibSec clones the repo and runs the same 30+ OWASP checks as the CLI:

Hardcoded secrets and API keys
Unsafe code patterns (eval, exec, injection)
Supply chain risks (typosquatted packages, unpinned deps)
Missing .gitignore entries for sensitive files
System prompt leakage in AI-powered apps

When to use it

Before forking a repo — check if the codebase has existing vulnerabilities
Evaluating dependencies — scan a library’s source before adding it to your project
Code review — share a scan link with your team
Learning — see what real security issues look like in actual codebases

Domain Scanner

Go to vibsec.com/scan/domain and enter any website URL. VibSec checks the site’s public-facing security:

SSL/TLS — HTTPS availability, HTTP-to-HTTPS redirect
Security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Cross-origin policies — COEP, COOP, CORP headers
Exposed files — .env, .git, phpinfo, admin panels, debug endpoints
Open ports — dev servers, databases, caches reachable via HTTP
Cookie security — Secure, HttpOnly, SameSite flags
Information leakage — Server and X-Powered-By headers

When to use it

Before deploying — check your production site’s security headers
Competitor research — see how other sites handle security
Client work — quickly audit a client’s existing site
After configuring headers — verify your Cloudflare/Nginx/Apache rules are working

Privacy

The repo scanner only analyzes public repositories. The domain scanner only checks publicly visible HTTP headers and responses — it never sees your source code. No data is stored or logged.