Skip to content

gardnerscot/vibecheck

Repository files navigation

🛡️ VibeCheck Security Auditor

Auth-focused security scanner for AI-generated ("vibecoded") apps.

Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck is the fire extinguisher.

vibecheck scan ./my-app

score python

Why this exists

LLMs generate sketchy auth by default:

Vibecode classic What breaks
SECRET_KEY = "secret" Session/JWT forgery
jwt.decode(..., verify=False) Identity spoofing
password == user.password Credential dump on breach
localStorage.setItem("token", …) XSS → full account takeover
Access-Control-Allow-Origin: * Cross-site API abuse
SKIP_2FA = True MFA theater
Hardcoded sk-… / sk_live_… Instant key theft from GitHub

Non-technical founders don't know what they don't know. Point at the exposed keys, take the check.

Quick start

Install (packaged)

# From a built wheel / sdist (local)
pip install dist/vibecheck_security-*.whl

# From git (tagged beta)
pip install "git+https://github.com/gardnerscot/vibecheck.git@v0.1.0"

# From GitHub release wheel
# pip install https://github.com/gardnerscot/vibecheck/releases/download/v0.1.0/vibecheck_security-0.1.0-py3-none-any.whl

# From PyPI (when published)
# pip install vibecheck-security

Develop from source

cd vibecheck
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

# Scan the intentional dumpster fire
vibecheck scan fixtures/vulnerable_app

# JSON + Markdown reports
vibecheck scan fixtures/vulnerable_app -j reports/out.json -m reports/out.md

# CI gate: fail if score < 70 or any critical/high
vibecheck scan ./src --fail-under 70 --fail-on high

# List rules
vibecheck rules

# Web UI
vibecheck serve
# → http://127.0.0.1:8742

Optional local LLM enrichment (M-series friendly)

# Ollama running with a code model
ollama pull qwen2.5-coder:7b

vibecheck scan ./my-app --llm --llm-model qwen2.5-coder:7b

Static rules always run. LLM review is additive on auth-related files only.

What it scans

Rule packs (30+ heuristics):

  • secrets — API keys, AWS, Stripe, PEM keys, weak SECRET_KEY
  • authentication — plaintext passwords, MD5, auth bypass, SQLi in login, default admin
  • session — cookie flags, localStorage tokens, fixation hints
  • tokens — JWT verify off, alg none, predictable reset tokens, tokens in URLs
  • mfa_2fa — hardcoded TOTP, static OTP, bypass flags
  • cors_csrf*, origin reflection, CSRF disabled
  • cryptography — TLS verify off, HTTP auth URLs, weak RNG, debug mode

Each finding includes severity, CWE (when mapped), confidence, and a concrete fix.

Score

Starts at 100. Weighted deductions by severity × confidence:

Severity Weight
critical 25
high 15
medium 8
low 3

Grade bands: A ≥90 · B ≥80 · C ≥70 · D ≥55 · F <55.

Project layout

vibecheck/
  vibecheck/          # core library + CLI
    rules/            # heuristic packs
    scanner.py
    llm.py            # optional Ollama
    report.py
  web/                # FastAPI UI
  fixtures/           # vulnerable + clean demos
  tests/

Monetization (product sketch)

Tier Price What
CLI free $0 Local static scan
Single scan $9.99 Upload + hosted report
Pro subscription Monitoring, PR checks, history

MVP ships freemium-ready: local CLI free forever; web upload is the paid surface later (Stripe not wired yet).

Packaging & release

Channel Who it's for Command
Editable (dev) You, day to day pip install -e ".[dev]"
Wheel / sdist Friends, CI, TestPyPI make builddist/
PyPI Public pip install make publish-test then make publish
Docker Hosted UI / demos make docker && make docker-run
Git Early adopters pip install git+https://…
# Build installable artifacts
make build
# → dist/vibecheck_security-0.1.0-py3-none-any.whl
# → dist/vibecheck_security-0.1.0.tar.gz

# Smoke-test the wheel in a clean venv
python3 -m venv /tmp/vc-test && source /tmp/vc-test/bin/activate
pip install dist/vibecheck_security-*.whl
vibecheck scan /path/to/app
vibecheck serve

# Publish (needs PyPI token in ~/.pypirc or TWINE_USERNAME/PASSWORD)
make publish-test   # TestPyPI first
make publish        # real PyPI

Naming: PyPI distribution is vibecheck-security; the import and CLI stay vibecheck / vibecheck.

What's in the wheel: library + CLI + web templates/static. Fixtures stay in the repo only (demo data, not shipped).

Docker

docker build -t vibecheck .
docker run --rm -p 8742:8742 vibecheck
# Scan a mounted project:
docker run --rm -v "$PWD:/scan:ro" vibecheck scan /scan

Later (non-Python founders)

  • Standalone binary: pyinstaller / uv tool once CLI is stable
  • Homebrew: formula wrapping the wheel
  • GitHub Action: vibecheck scan . --fail-on high in CI

Development

pip install -e ".[dev]"
pytest -q
make scan    # self-scan + fixture dumpster fire
make build

Disclaimer

VibeCheck is a static heuristic scanner, not a pentest or compliance certification. Findings are leads. Always verify before you panic — or before you invoice.

License

MIT

About

Security auditor for AI-generated (vibecoded) apps — auth, sessions, tokens, secrets

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors