Skip to content

vibe-hardening/cli

BranchesTags

Repository files navigation

vibe-hardening

Vibe coded. Vibe hardened.

One-command security scanner for AI-generated code.

Language: English · 繁體中文 · 简体中文 · 한국어 · 日本語

npx vibe-hardening scan

Live at vibe-hardening.io.

Get started (5 seconds)

# 1. open a terminal
# 2. cd into any JS / TS project you've built with an AI tool
cd ~/projects/my-app

# 3. run the scanner
npx vibe-hardening scan

First time only, npx will ask Ok to proceed? — press Enter.

Requirements: Node.js 18.17+ (already installed if you've used npm, next, vite, etc.).

Common mistakes:

  • Running from ~/Desktop without cd — scans your entire Desktop tree.
  • Running from inside the vibe-hardening repo itself — you'll scan the tool, not your app.
  • Missing Node: install from nodejs.org if npx is not recognised.

What it catches

30+ rules across 8 categories, tuned for repos generated by v0 / Lovable / Bolt / Cursor / Claude Code / Replit Agent / Windsurf / Devin.

Category Examples
Secrets OpenAI sk-proj-, Anthropic sk-ant-, Stripe sk_live_, GitHub PAT, AWS keys, Supabase service_role JWT, DB URLs, Slack tokens, JWT signing keys
Injection SQL template-literal, NoSQL req.body, child_process.exec with interpolation, path traversal, dangerouslySetInnerHTML without sanitiser
Network CORS * + credentials, CORS origin reflection, SSRF via fetch(req.body.url), open redirects
Auth Missing middleware on Next.js API routes (AST), JWT alg: none, `
Database Supabase tables without RLS, policies using (true), service_role referenced from 'use client' files
Env misuse NEXT_PUBLIC_*SECRET / *SERVICE_ROLE variables leaking into client bundles
Supply chain (net) OSV.dev CVE lookup on package-lock.json, LLM-hallucinated package detection vs. npm registry
Platform fingerprint Identifies which AI tool wrote the code to weight rules and tune output

Usage

# Scan current directory
npx vibe-hardening scan

# Scan a specific folder
npx vibe-hardening scan ./my-project

# JSON for CI (exits 1 on any critical/high finding)
npx vibe-hardening scan --format json --output report.json

# Only high+ severity
npx vibe-hardening scan --severity high

# Skip network calls (no OSV / no npm registry)
npx vibe-hardening scan --offline

Platform detection

On start, vibe-hardening fingerprints the repo and identifies the generator:

vibe-hardening scan complete  ·  147 files  ·  412ms
platform  v0  (74% confidence)

Supported: v0 / lovable / bolt / cursor / claude-code / replit-agent / windsurf / devin.

Status

Preview release — Phase 1 MVP targeting 2026-05-13 on Product Hunt.

Current coverage (v0.0.4-preview.0):

  • 6 engines: RLS diff · JWT payload · auth AST · pattern-regex · OSV.dev · LLM hallucination
  • 30+ rules · 142 tests · scans typical repo in under 5 seconds
  • Output: coloured console · JSON for CI · standalone HTML report
  • 0–100 security score with A–F grade + SVG README badge
  • Inline suppression: // vibe-hardening-disable-next-line vh-rule-id
  • Platform fingerprint for 8 AI tools

Roadmap:

  • Live key verification (--verify pings provider endpoints to confirm leaked keys are still active)
  • Markdown reporter
  • Pro dashboard, GitHub App, Slack notifications (post-launch)

License

MIT © 2026 vibe-hardening contributors.

About

One-command security scanner for AI-generated code. Vibe coded. Vibe hardened.

vibe-hardening.io

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages