Auth-focused security scanner for AI-generated ("vibecoded") apps.
Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck is the fire extinguisher.
vibecheck scan ./my-appLLMs generate sketchy auth by default:
| Vibecode classic | What breaks |
|---|---|
SECRET_KEY = "secret" |
Session/JWT forgery |
jwt.decode(..., verify=False) |
Identity spoofing |
password == user.password |
Credential dump on breach |
localStorage.setItem("token", …) |
XSS → full account takeover |
Access-Control-Allow-Origin: * |
Cross-site API abuse |
SKIP_2FA = True |
MFA theater |
Hardcoded sk-… / sk_live_… |
Instant key theft from GitHub |
Non-technical founders don't know what they don't know. Point at the exposed keys, take the check.
# From a built wheel / sdist (local)
pip install dist/vibecheck_security-*.whl
# From git (tagged beta)
pip install "git+https://github.com/gardnerscot/vibecheck.git@v0.1.0"
# From GitHub release wheel
# pip install https://github.com/gardnerscot/vibecheck/releases/download/v0.1.0/vibecheck_security-0.1.0-py3-none-any.whl
# From PyPI (when published)
# pip install vibecheck-securitycd vibecheck
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
# Scan the intentional dumpster fire
vibecheck scan fixtures/vulnerable_app
# JSON + Markdown reports
vibecheck scan fixtures/vulnerable_app -j reports/out.json -m reports/out.md
# CI gate: fail if score < 70 or any critical/high
vibecheck scan ./src --fail-under 70 --fail-on high
# List rules
vibecheck rules
# Web UI
vibecheck serve
# → http://127.0.0.1:8742# Ollama running with a code model
ollama pull qwen2.5-coder:7b
vibecheck scan ./my-app --llm --llm-model qwen2.5-coder:7bStatic rules always run. LLM review is additive on auth-related files only.
Rule packs (30+ heuristics):
- secrets — API keys, AWS, Stripe, PEM keys, weak
SECRET_KEY - authentication — plaintext passwords, MD5, auth bypass, SQLi in login, default admin
- session — cookie flags, localStorage tokens, fixation hints
- tokens — JWT verify off, alg none, predictable reset tokens, tokens in URLs
- mfa_2fa — hardcoded TOTP, static OTP, bypass flags
- cors_csrf —
*, origin reflection, CSRF disabled - cryptography — TLS verify off, HTTP auth URLs, weak RNG, debug mode
Each finding includes severity, CWE (when mapped), confidence, and a concrete fix.
Starts at 100. Weighted deductions by severity × confidence:
| Severity | Weight |
|---|---|
| critical | 25 |
| high | 15 |
| medium | 8 |
| low | 3 |
Grade bands: A ≥90 · B ≥80 · C ≥70 · D ≥55 · F <55.
vibecheck/
vibecheck/ # core library + CLI
rules/ # heuristic packs
scanner.py
llm.py # optional Ollama
report.py
web/ # FastAPI UI
fixtures/ # vulnerable + clean demos
tests/
| Tier | Price | What |
|---|---|---|
| CLI free | $0 | Local static scan |
| Single scan | $9.99 | Upload + hosted report |
| Pro | subscription | Monitoring, PR checks, history |
MVP ships freemium-ready: local CLI free forever; web upload is the paid surface later (Stripe not wired yet).
| Channel | Who it's for | Command |
|---|---|---|
| Editable (dev) | You, day to day | pip install -e ".[dev]" |
| Wheel / sdist | Friends, CI, TestPyPI | make build → dist/ |
| PyPI | Public pip install |
make publish-test then make publish |
| Docker | Hosted UI / demos | make docker && make docker-run |
| Git | Early adopters | pip install git+https://… |
# Build installable artifacts
make build
# → dist/vibecheck_security-0.1.0-py3-none-any.whl
# → dist/vibecheck_security-0.1.0.tar.gz
# Smoke-test the wheel in a clean venv
python3 -m venv /tmp/vc-test && source /tmp/vc-test/bin/activate
pip install dist/vibecheck_security-*.whl
vibecheck scan /path/to/app
vibecheck serve
# Publish (needs PyPI token in ~/.pypirc or TWINE_USERNAME/PASSWORD)
make publish-test # TestPyPI first
make publish # real PyPINaming: PyPI distribution is vibecheck-security; the import and CLI stay vibecheck / vibecheck.
What's in the wheel: library + CLI + web templates/static. Fixtures stay in the repo only (demo data, not shipped).
docker build -t vibecheck .
docker run --rm -p 8742:8742 vibecheck
# Scan a mounted project:
docker run --rm -v "$PWD:/scan:ro" vibecheck scan /scan- Standalone binary:
pyinstaller/uv toolonce CLI is stable - Homebrew: formula wrapping the wheel
- GitHub Action:
vibecheck scan . --fail-on highin CI
pip install -e ".[dev]"
pytest -q
make scan # self-scan + fixture dumpster fire
make buildVibeCheck is a static heuristic scanner, not a pentest or compliance certification. Findings are leads. Always verify before you panic — or before you invoice.
MIT