Professional Security Scanner - Zero dependencies, instant setup, works everywhere. Optimized performance for security scanning. Current ruleset: 28 essential security rules including container security.
# Install globally
npm install -g vibe-guard
# For Development with no build step(run this first)
npm run dev
# Start interactive session
vibe-guard start
# Scan your project
vibe-guard scan .
# Learn about security concepts
vibe-guard learn xss-detection
# Try with demo files
vibe-guard demoVibe-Guard is more than a scanner—it's an educational platform that teaches you about web security through hands-on experience:
XSS (Cross-Site Scripting):
// ❌ Vulnerable code
app.get('/user', (req, res) => {
const userInput = req.query.name;
res.send('<h1>Hello ' + userInput + '</h1>'); // XSS vulnerability!
});
// ✅ Secure code
app.get('/user', (req, res) => {
const userInput = req.query.name;
res.send('<h1>Hello ' + escapeHtml(userInput) + '</h1>');
});SQL Injection:
// ❌ Vulnerable code
const query = 'SELECT * FROM users WHERE id = ' + userId; // SQL injection risk!
// ✅ Secure code
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);Exposed Secrets:
// ❌ Vulnerable code
const API_KEY = 'sk-1234567890abcdef'; // Secret exposed in source code!
// ✅ Secure code
const API_KEY = process.env.API_KEY; // Environment variableContainer Security:
# ❌ Vulnerable Kubernetes manifest
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: app
image: nginx:latest # Latest tag vulnerability
securityContext:
runAsUser: 0 # Root user vulnerability
privileged: true # Privileged container vulnerability
# ✅ Secure Kubernetes manifest
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: app
image: nginx:1.21.6@sha256:abc123... # Pinned digest
securityContext:
runAsUser: 1000 # Non-root user
runAsNonRoot: true
allowPrivilegeEscalation: false-
Input Validation - Always validate and sanitize user input
-
Output Encoding - Encode output to prevent XSS attacks
-
Parameterized Queries - Use prepared statements for database operations
-
Environment Variables - Never hardcode secrets in source code
-
Security Headers - Implement proper HTTP security headers
-
Container Security - Use non-root users, pinned image digests, and proper security contexts
Vibe-Guard detects 28 types of vulnerabilities across multiple categories:
- Authentication & Authorization: Missing authentication, broken access control, session management
- Input Validation: SQL injection, XSS, unvalidated input, directory traversal
- Data Protection: Exposed secrets, hardcoded sensitive data, insecure logging
- Configuration: Insecure configuration, missing security headers, CORS issues
- Modern Threats: CSRF protection, AI-generated code validation, prompt injection
- Dependencies: Insecure dependencies, outdated packages, vulnerability assessment
- Container Security: Kubernetes security, Dockerfile vulnerabilities, container registry issues
CI/CD Integration:
# GitHub Actions
- name: Security Scan
run: vibe-guard scan . --format sarif --output-file security-report.sarifThis repository can produce SARIF from the Jest test suite for integration with GitHub Code Scanning. Locally you can run:
# run tests and produce JSON
npx jest --json --outputFile=jest-output.json
# convert to SARIF
node scripts/jest-to-sarif.js jest-output.json test-results.sarifThe jest-to-sarif converter supports two optional flags: --include-passed (include passed/skipped assertions in SARIF) and --relative-paths (output relative file paths instead of file:// URIs). Example:
node scripts/jest-to-sarif.js jest-output.json test-results.sarif --include-passed --relative-pathsCI converts Jest JSON to SARIF and uploads the SARIF file when the tests are run in the CI workflow.
Pre-commit Hook:
# .git/hooks/pre-commit
#!/bin/sh
vibe-guard scan . || exit 1Interactive Learning:
# Start interactive session
vibe-guard start
# Learn specific security concepts
vibe-guard learn sql-injection
vibe-guard learn xss-detection
# Practice with demo files
vibe-guard demoNPM (Recommended):
npm install -g vibe-guardHomebrew:
brew install devjosef/tap/vibe-guardDirect Download:
# Linux
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-linux-x64 -o vibe-guard
chmod +x vibe-guard
# macOS
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-macos-x64 -o vibe-guard
chmod +x vibe-guard
# Windows
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-windows-x64.exe -o vibe-guard.exe- Getting Started - Complete setup and configuration guide
- Security Rules - Detailed rule explanations and examples
- Performance Guide - Optimization and best practices
- API Reference - Programmatic usage and integration
Join our community of security professionals and developers:
- Interactive Learning:
vibe-guard start- Begin your security journey - Educational Commands:
vibe-guard learn [topic]- Master security concepts - Hands-on Practice:
vibe-guard demo- Test with example vulnerabilities - Performance Insights:
vibe-guard stats- Track your security impact - Community Discussion: GitHub Discussions
- Issue Reporting: GitHub Issues
- Repository: GitHub Repository
Built for developers who code fast and need security that keeps up:
- Zero Dependencies - Lightweight, fast, and reliable
- 28 Security Rules - Comprehensive coverage of modern threats including container security
- Cross-Platform - Works seamlessly across all operating systems
- Educational Focus - Learn security while you scan
- OWASP Aligned - Industry best practices and standards
- Developer-Friendly - Simple, intuitive CLI interface
- Interactive Mode - Guided learning with
vibe-guard start - Container Security - Kubernetes, Dockerfile, and registry security scanning
Every scan contributes to a more secure web ecosystem:
- 500+ total downloads on NPM with growing adoption
- 28 security rules covering contemporary threat vectors including container security
- Cross-platform support for Linux, macOS, and Windows
- Zero dependencies ensuring maximum compatibility
- Educational approach - building security awareness
- Container security - Kubernetes, Dockerfile, and registry vulnerability detection
MIT License - see LICENSE for details.
Built for the greater good, like curl for security scanning.