First tagged release of VibeGate: a host-agnostic pre-write security hook for AI coding assistants (Claude Code, Codex).
What it does
Intercepts every file write/edit, scans the new code with Semgrep, and either lets it through, warns, or blocks the write, depending on the risk. No LLM involved in the analysis: fast, deterministic, and free of hallucination risk.
Language coverage
Python, JavaScript/TypeScript, Go, Java, PHP, and Ruby.
Detection categories
19 technical categories, including the blocking ones: EXEC_INPUT, DB_QUERY, NOSQL_QUERY, TEMPLATE_INJECTION (SSTI), INSECURE_DESERIALIZATION, PATH_TRAVERSAL, XXE, XSS_SINK, and FILE_UPLOAD, plus warning-level categories like SSRF, OPEN_REDIRECT, and MASS_ASSIGNMENT.
Other highlights
- Full-file reconstruction for
Edit/MultiEditin Claude Code, so a source and a sink introduced across separate edits are still connected vibegate-ignorecomment marker to suppress accepted false positives- CI validates every Semgrep rule and runs the full test suite on every push/PR
- MIT licensed
See the README for install instructions and a full walkthrough.