Scan AI-generated code for vulnerabilities before they ship.
Quick Start โข Interactive TUI โข Features โข Languages โข CLI Reference โข CI/CD โข MCP โข Contributing
vibescan stands on the shoulders of incredible open-source security projects. We didn't reinvent the wheel โ we built an orchestration layer that unifies the best tools into a single, developer-friendly experience.
Projects that inspired us:
| Project | What we learned |
|---|---|
| Semgrep | Lightweight, multi-language static analysis done right. Our core SAST engine. |
| Trivy | Comprehensive vulnerability scanning for containers, filesystems, and IaC. |
| Nuclei | Template-based vulnerability scanning at scale. Inspired our exploit template system. |
| OWASP ZAP | The gold standard for open-source DAST. Influenced our sandboxed runtime testing. |
| SonarQube | Proved that continuous code quality inspection works. We wanted that for security, in the terminal. |
| Snyk | Showed that developer-first security UX matters more than feature count. |
| CodeQL | Deep semantic analysis and the GitHub Security ecosystem we integrate with via SARIF. |
| Gitleaks | Fast, accurate secret detection with excellent rule coverage. |
| Checkov | Multi-framework IaC scanning. Our IaC coverage builds directly on it. |
vibescan is not a single scanner โ it's a pipeline that runs 30+ industry-grade open-source tools, normalizes their output, deduplicates findings, and presents unified results. Here's every tool we orchestrate:
SAST โ Static Application Security Testing
| Tool | Language/Target | What it finds | Link |
|---|---|---|---|
| Semgrep | 15+ languages | Code vulnerabilities, taint tracking, custom rules | semgrep.dev |
| Gosec | Go | Security misconfigurations, crypto issues, injection flaws | github |
| Staticcheck | Go | Bugs, performance issues, simplifications | github |
| Govet | Go | Suspicious constructs (printf args, struct tags, unreachable code) | pkg.go.dev |
| Gocyclo | Go | Cyclomatic complexity (identifies hard-to-test functions) | github |
| Bandit | Python | Common security issues (eval, exec, hardcoded passwords) | github |
| Pylint | Python | Code quality, error detection, convention enforcement | github |
| Radon | Python | Cyclomatic complexity and maintainability index | github |
| Vulture | Python | Dead code detection | github |
| ESLint | JavaScript/TS | Security rules, code quality, best practices | github |
| SpotBugs | Java/Kotlin | 400+ bug patterns including security | github |
| PMD | Java/Kotlin | 300+ rules including security and code quality | github |
| Brakeman | Ruby/Rails | SQL injection, XSS, CSRF, mass assignment | github |
| PHPCS | PHP | Security sniffs, coding standards | github |
| Psalm | PHP | Type inference, taint analysis, security-focused mode | github |
| Cppcheck | C/C++ | Buffer overflows, null pointer derefs, memory leaks | github |
| Flawfinder | C/C++ | Security-focused source code scanner (CWE-mapped) | github |
| Slither | Solidity | Smart contract vulnerabilities, 90+ detectors | github |
| Mythril | Solidity | Symbolic execution for EVM bytecode | github |
| Clippy | Rust | Security-relevant lints, correctness checks | github |
| ShellCheck | Shell/Bash | Script analysis, injection risks, quoting issues | github |
| JSCPD | All languages | Copy-paste detection across codebases | github |
SCA โ Software Composition Analysis
| Tool | Ecosystem | What it finds | Link |
|---|---|---|---|
| Trivy | All | CVEs in OS packages, language deps, and container images | github |
| OSV-Scanner | All | Queries Google's OSV database for known vulnerabilities | github |
| Govulncheck | Go | Reachability-aware Go vulnerability detection (only flags vulns your code actually calls) | github |
| Cargo Audit | Rust | RustSec advisory database scanning | github |
| Bundler Audit | Ruby | RubyGems advisory scanning | github |
| OWASP Dependency-Check | Java | CVE scanning for Maven/Gradle/Ivy | github |
| Grype | Containers | Image vulnerability scanning (NVD + GitHub Advisory + OSV) | github |
Secrets Detection
| Tool | What it finds | Link |
|---|---|---|
| Gitleaks | 150+ secret types (AWS, GCP, GitHub, Stripe, Slack, etc.) with git history scanning | github |
| Trufflehog | High-entropy strings, credential patterns, verified secret validation | github |
IaC โ Infrastructure as Code
| Tool | Target | What it finds | Link |
|---|---|---|---|
| Checkov | Terraform, CloudFormation, K8s, Helm, Docker | 1000+ security policies across cloud providers | github |
| TFSec | Terraform | AWS/Azure/GCP misconfigurations | github |
| KICS | Multi-IaC | 50+ platforms including Terraform, Ansible, Docker, K8s | github |
| Hadolint | Dockerfile | Dockerfile best practices + ShellCheck on RUN commands | github |
| Kube-linter | Kubernetes | Security and production-readiness checks | github |
| Kube-score | Kubernetes | Best practice scoring for workload manifests | github |
Every finding from every tool flows through our normalization pipeline โ severity mapping, CWE enrichment, deduplication, and fingerprinting โ so you get one clean, unified report instead of 30 different outputs.
Vibecoding is fast. But AI-generated code ships vulnerabilities you didn't write and don't understand.
vibescan catches them. It runs 30+ security tools, builds your app in a sandbox, simulates real attacks, maps exploit chains, and reviews every PR โ all from a single interactive terminal UI.
Install (pick one):
# macOS / Linux
brew install Armur-Ai/tap/vibescan
# npm (any platform)
npm install -g @vibescan/cli
# pip
pip install vibescan
# Direct download
curl -fsSL https://raw.githubusercontent.com/Armur-Ai/vibescan/main/scripts/install.sh | shThen just run it:
vibescanThat's it. No flags, no config. vibescan launches a full-screen interactive menu:
V I B E S C A N
Security Scanner for Vibe-Coded Software
SAST + DAST + Exploit Simulation + Attack Paths
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
What would you like to do?
โธ ๐ Scan Project Analyze your code for vulnerabilities
๐ฅ Interactive Scan Guided wizard with live dashboard
๐ Review Pull Request Security review a GitHub/GitLab PR
๐ View History Browse past scan results
๐ Generate Report Create HTML, CSV, OWASP reports
๐ก Explain Finding Get an AI explanation
๐ง Fix Finding Generate an AI-powered code patch
๐ฉบ Check Health Verify tools and configuration
โ Initialize Project Create .vibescan.yml config
๐ Setup AI / MCP Configure editor integration
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ navigate enter select q quit
Navigate with arrow keys, press Enter to select. Every action is one keypress away.
Select "Scan Project" and vibescan walks you through a 4-step wizard:
VIBESCAN โ Scan Configuration
โ Target โ โ Language โ โ Depth โ โ Confirm
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
What would you like to scan?
โ Current directory (my-project)
โ Enter a different path
โ Scan a remote repository
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโ navigate enter select backspace back esc cancel
After confirming, you get a live dashboard showing every tool's progress in real time:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ VIBESCAN ยท ./my-project ยท GO ยท deep scan โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Tool Status Found โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ semgrep completed 4s 14 โ
โ โณ gosec running 2s 3 โ
โ โ staticcheck queued - โ
โ โ gocyclo queued - โ
โ โ trufflehog queued - โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฃ
โ Critical: 0 High: 3 Medium: 8 Low: 6 Info: 0 โ
โ Elapsed: 0:06 [q] Quit โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
When the scan completes, you enter the results browser โ a two-pane interactive viewer:
17 findings ยท Showing: all ยท [f] filter ยท [โโ/jk] navigate ยท [q] quit
SEV FILE LINE MESSAGE
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[CRIT] internal/handlers.go 42 SQL injection via user input
โธ [HIGH] internal/auth.go 118 Hardcoded JWT secret
[HIGH] pkg/api/client.go 67 TLS verification disabled
[ MED] cmd/server/main.go 23 Missing CORS configuration
[ LOW] internal/utils.go 156 Unused error return
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
File: internal/auth.go:118
Severity: [HIGH]
Rule: gosec.G101
CWE: CWE-798
Tool: gosec
Message: Hardcoded credentials: JWT secret stored as string literal
Press f to filter by severity, j/k to navigate, q to quit.
Prefer flags over TUI? Everything works non-interactively too:
# Quick scan
vibescan scan .
# Deep scan with all tools
vibescan scan . --advanced
# Scan a GitHub repo
vibescan scan https://github.com/owner/repo -l go
# SARIF output for CI
vibescan scan . --format sarif --fail-on-severity high
# Watch mode โ re-scan on file changes
vibescan scan . --watch| Feature | What it does |
|---|---|
| SAST | 30+ tools across 15 languages. Findings deduplicated, severity-normalized. |
| DAST | Auto-builds sandbox from your code, runs passive + active security tests. |
| Exploit Simulation | Generates PoC exploits (SQLi, XSS, RCE, SSRF) and runs them in sandbox. |
| Attack Paths | Chains findings into attack graphs with Mermaid visualization. |
| PR Review | vibescan review <pr-url> โ SAST + secrets + DAST on the diff. |
| AI Explain/Fix | vibescan explain and vibescan fix powered by Claude or Ollama. |
| MCP Server | Works inside Claude Code, Cursor, Windsurf via MCP protocol. |
| SCA | Every package ecosystem: npm, pip, Go, Cargo, Maven, Ruby, PHP, NuGet, etc. |
| Secrets | Gitleaks + Trufflehog with git history scanning and secret validation. |
| IaC | Terraform, Kubernetes, Docker, Ansible, Helm โ checkov, tfsec, kube-linter. |
| Compliance | OWASP Top 10, CWE Top 25, PCI-DSS, HIPAA, NIST mapping. |
| Reports | HTML, CSV, SARIF, OWASP, SANS โ all from vibescan report. |
| Language | Tools | Categories |
|---|---|---|
| Go | semgrep, gosec, govet, staticcheck, gocyclo, govulncheck | SAST, SCA, Quality |
| Python | semgrep, bandit, pylint, radon, pydocstyle, pip-audit | SAST, SCA, Quality |
| JavaScript/TS | semgrep, eslint | SAST, Quality |
| Rust | semgrep, cargo-audit, cargo-geiger, clippy | SAST, SCA |
| Java/Kotlin | semgrep, spotbugs, pmd, dependency-check | SAST, SCA |
| Ruby | semgrep, brakeman, bundler-audit | SAST, SCA |
| PHP | semgrep, phpcs, psalm | SAST, Quality |
| C/C++ | semgrep, cppcheck, flawfinder | SAST |
| C#/.NET | semgrep, security-code-scan, roslynator | SAST, Quality |
| Solidity | semgrep, slither, mythril | SAST |
| IaC | checkov, hadolint, tfsec, kics, kube-linter, kube-score, terrascan | IaC |
| Containers | trivy, grype | SCA, Image |
| Secrets | trufflehog, gitleaks | Secrets |
| Shell | shellcheck | SAST |
| Swift | swiftlint | SAST |
| Command | Description |
|---|---|
vibescan |
Launch interactive TUI (default when no args) |
vibescan scan <target> |
One-shot scan with flags |
vibescan run |
Guided wizard โ live dashboard โ results browser |
vibescan review <pr-url> |
Review a GitHub/GitLab pull request |
vibescan explain <id> |
AI explanation of a finding |
vibescan fix <id> |
AI-generated code patch |
vibescan serve |
Start the embedded API server |
vibescan doctor |
Check which tools are installed |
vibescan init |
Create .vibescan.yml config file |
vibescan history |
List past scans |
vibescan compare <id1> <id2> |
Diff two scan results |
vibescan report |
Generate HTML/CSV/OWASP/SANS reports (interactive) |
vibescan mcp |
Start MCP server for AI editors |
vibescan quickstart |
Step-by-step getting started guide |
vibescan completion <shell> |
Shell completions (bash/zsh/fish/powershell) |
vibescan version |
Print version info |
- name: vibescan Security Scan
run: |
curl -fsSL https://raw.githubusercontent.com/Armur-Ai/vibescan/main/scripts/install.sh | sh
vibescan scan . --format sarif --output results.sarif --fail-on-severity high
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarifvibescan:
image: vibescan/agent:latest
script:
- vibescan scan . --format sarif --output gl-sast-report.json --fail-on-severity high
artifacts:
reports:
sast: gl-sast-report.jsonSee also: CircleCI, Jenkins, Azure DevOps, Bitbucket
vibescan runs as an MCP server inside Claude Code, Cursor, and Windsurf:
# Claude Code
claude mcp add vibescan -- vibescan mcp
# Cursor โ add to ~/.cursor/mcp.json:
# { "mcpServers": { "vibescan": { "command": "vibescan", "args": ["mcp"] } } }MCP tools available to your AI assistant:
vibescan_scan_pathโ scan a directoryvibescan_scan_codeโ scan a code snippet inlinevibescan_check_dependencyโ check a package for CVEsvibescan_explain_findingโ explain a vulnerabilityvibescan_get_historyโ recent scan history
Create .vibescan.yml in your project root (or run vibescan init):
scan:
depth: quick # quick | deep
severity-threshold: medium # minimum severity to report
fail-on-findings: true # exit code 1 in CI
exclude:
- vendor/
- node_modules/
- testdata/
tools:
disabled:
- gocyclo # skip specific toolsFull reference: Configuration docs
โโโโโโโโโโโโโโโโโโ
โ vibescan CLI โ (Cobra + Bubbletea TUI)
โโโโโโโโฌโโโโโโโโโโ
โ
โโโโโโโโโโโผโโโโโโโโโโโ
โ API Server (Gin) โ port 4500
โโโโโโโโโโโฌโโโโโโโโโโโ
โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโ
โ Asynq Worker (Redis) โ
โโโโโโโโโโโโโฌโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโ
โ Tool Runners (30+) โ
โ semgrep, gosec, bandit, eslint, โ
โ trivy, gitleaks, slither, ... โ
โโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโ
โ Finding Pipeline โ
โ Normalize โ Dedup โ โ
โ Fingerprint โ Score โ
โโโโโโโโโโโโโฌโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโ
โ Output: TUI, Text, JSON, โ
โ SARIF, HTML, CSV, OWASP โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
docker-compose up -d
curl -X POST http://localhost:4500/api/v1/scan/repo \
-H "Content-Type: application/json" \
-d '{"repository_url": "https://github.com/owner/repo", "language": "go"}'API docs: http://localhost:4500/swagger/index.html
Found a vulnerability in vibescan? See SECURITY.md for responsible disclosure.
Contributions welcome! See CONTRIBUTING.md for how to add tools, languages, and rules.
See IMPROVEMENTS.md โ 59 sprints across 7 phases, from core product to distributed scanning.
MIT โ see LICENSE.
vibescan.dev โข Discord โข Docs
Built for the vibecoding era. Ship fast, ship safe.