VibeGuard

Local CLI security scanner for AI-generated code. Your code never leaves your machine.

Installation

``bash npm install -g @indicated/vibeguard`

`Quick Start`

`bash

`Scan a directory`


vibeguard scan ./src
Scan specific files

vibeguard scan ./api.js ./auth.ts
Set up pre-commit hook (blocks commits with critical/high issues)

vibeguard init
View all security rules

vibeguard rules


Commands
$3
Scan files or directories for security vulnerabilities.

`bash vibeguard scan ./src # Scan directory vibeguard scan --staged # Scan git staged files only vibeguard scan --json # Output as JSON vibeguard scan --force # Don't exit with error on issues vibeguard scan --quiet # Minimal output`

`$3`

Set up a pre-commit hook to automatically scan code before commits.

`bash vibeguard init # Creates hook and config vibeguard init --force # Overwrite existing hooks`

This creates: - A git pre-commit hook that runsvibeguard scan --staged- A.vibeguardrc.json config file

`$3`

List all available security rules.

`bash vibeguard rules # List all rules vibeguard rules --severity critical # Filter by severity vibeguard rules --language python # Filter by language vibeguard rules --json # Output as JSON`

`$3`

Authenticate with your license key (for premium features).

`bash vibeguard login vibeguard login --key YOUR_KEY --email you@example.com`

`$3`

Remove stored license key.

`$3`

Start VibeGuard as an MCP server for AI assistant integration.

`AI Assistant Integration (MCP)`

VibeGuard can run as an MCP (Model Context Protocol) server, allowing AI coding assistants like Claude Code to directly scan your code for vulnerabilities.

`$3`

1. Install VibeGuard globally:`bash npm install -g @indicated/vibeguard`

2. Add to your Claude Code MCP settings (~/.claude/settings.json):`json { "mcpServers": { "vibeguard": { "command": "vibeguard", "args": ["mcp"] } } }`

3. Restart Claude Code. The AI will now have access to these tools:

| Tool | Description | |------|-------------| |scan_code| Scan files/directories for security vulnerabilities | |list_security_rules| List all available security rules | |check_code_snippet | Check a code snippet without writing to disk |

`$3`

Once configured, you can ask Claude Code things like: - "Scan my src folder for security issues" - "Check this code for vulnerabilities before I save it" - "What security rules does VibeGuard check for?"

The AI will automatically use VibeGuard to scan your code and report any issues.

`Configuration`

Create a .vibeguardrc.json in your project root:

`json { "exclude": [ "node_modules", "dist", "build", "*.test.js" ], "rules": { "disabled": ["missing-rate-limit"] } }`

`Supported Languages`

- JavaScript (.js, .jsx, .mjs, .cjs) - TypeScript (.ts, .tsx) - Python (.py)

`Security Rules`

`$3`


- hardcoded-secret: Detects hardcoded API keys, tokens, and passwords
- sql-injection: Detects SQL injection vulnerabilities
- eval-usage: Detects dangerous eval() usage
$3

- missing-auth-route: API routes without authentication
- xss-innerhtml: XSS via innerHTML/dangerouslySetInnerHTML
- secrets-localstorage: Sensitive data in localStorage/sessionStorage
- supabase-no-rls: Supabase queries without RLS
- firebase-no-rules: Firebase without security rules
- idor-vulnerability: Potential IDOR vulnerabilities
$3

- permissive-cors: Overly permissive CORS configuration
- http-not-https: HTTP instead of HTTPS
- weak-password: Weak password requirements
$3

- verbose-errors: Detailed errors exposed to clients
- missing-rate-limit: Missing rate limiting on sensitive endpoints
Exit Codes

- 0: No critical/high issues found -1: Critical or high severity issues found (blocks commit)

Use --force to always exit with 0, or git commit --no-verify` to skip the hook.

Privacy

VibeGuard runs entirely on your machine. Your code is never sent to any server. Only license validation requires network access.

License

Commercial SaaS - License key required for full features.

VibeGuard

Local CLI security scanner for AI-generated code. Your code never leaves your machine.

Installation

``bash npm install -g @indicated/vibeguard`

`Quick Start`

`bash

`Scan a directory`


vibeguard scan ./src
Scan specific files

vibeguard scan ./api.js ./auth.ts
Set up pre-commit hook (blocks commits with critical/high issues)

vibeguard init
View all security rules

vibeguard rules


Commands
$3
Scan files or directories for security vulnerabilities.

`$3`

Set up a pre-commit hook to automatically scan code before commits.

`bash vibeguard init # Creates hook and config vibeguard init --force # Overwrite existing hooks`

This creates: - A git pre-commit hook that runsvibeguard scan --staged- A.vibeguardrc.json config file

`$3`

List all available security rules.

`bash vibeguard rules # List all rules vibeguard rules --severity critical # Filter by severity vibeguard rules --language python # Filter by language vibeguard rules --json # Output as JSON`

`$3`

Authenticate with your license key (for premium features).

`bash vibeguard login vibeguard login --key YOUR_KEY --email you@example.com`

`$3`

Remove stored license key.

`$3`

Start VibeGuard as an MCP server for AI assistant integration.

`AI Assistant Integration (MCP)`

VibeGuard can run as an MCP (Model Context Protocol) server, allowing AI coding assistants like Claude Code to directly scan your code for vulnerabilities.

`$3`

1. Install VibeGuard globally:`bash npm install -g @indicated/vibeguard`

2. Add to your Claude Code MCP settings (~/.claude/settings.json):`json { "mcpServers": { "vibeguard": { "command": "vibeguard", "args": ["mcp"] } } }`

3. Restart Claude Code. The AI will now have access to these tools:

`$3`

The AI will automatically use VibeGuard to scan your code and report any issues.

`Configuration`

Create a .vibeguardrc.json in your project root:

`json { "exclude": [ "node_modules", "dist", "build", "*.test.js" ], "rules": { "disabled": ["missing-rate-limit"] } }`

`Supported Languages`

- JavaScript (.js, .jsx, .mjs, .cjs) - TypeScript (.ts, .tsx) - Python (.py)

`Security Rules`

`$3`


- hardcoded-secret: Detects hardcoded API keys, tokens, and passwords
- sql-injection: Detects SQL injection vulnerabilities
- eval-usage: Detects dangerous eval() usage
$3

- missing-auth-route: API routes without authentication
- xss-innerhtml: XSS via innerHTML/dangerouslySetInnerHTML
- secrets-localstorage: Sensitive data in localStorage/sessionStorage
- supabase-no-rls: Supabase queries without RLS
- firebase-no-rules: Firebase without security rules
- idor-vulnerability: Potential IDOR vulnerabilities
$3

- permissive-cors: Overly permissive CORS configuration
- http-not-https: HTTP instead of HTTPS
- weak-password: Weak password requirements
$3

- verbose-errors: Detailed errors exposed to clients
- missing-rate-limit: Missing rate limiting on sensitive endpoints
Exit Codes

- 0: No critical/high issues found -1: Critical or high severity issues found (blocks commit)

Use --force to always exit with 0, or git commit --no-verify` to skip the hook.

Privacy

VibeGuard runs entirely on your machine. Your code is never sent to any server. Only license validation requires network access.

License

Commercial SaaS - License key required for full features.