Local-first security scanning

Ship faster.
Skip the security drama.

One command after AI writes your code. Catches leaked keys, bad deps, and footguns before they hit prod.

Runs locally. No repo upload. Your code stays yours.

pip install vibeguard-cli

See a real scan

~/my-project

██╗ ██╗██╗██████╗ ███████╗ ██████╗ ██╗ ██╗ █████╗ ██████╗ ██████╗

██║ ██║██║██╔══██╗██╔════╝██╔════╝ ██║ ██║██╔══██╗██╔══██╗██╔══██╗

██║ ██║██║██████╔╝█████╗ ██║ ███╗██║ ██║███████║██████╔╝██║ ██║

╚██╗ ██╔╝██║██╔══██╗██╔══╝ ██║ ██║██║ ██║██╔══██║██╔══██╗██║ ██║

╚████╔╝ ██║██████╔╝███████╗╚██████╔╝╚██████╔╝██║ ██║██║ ██║██████╔╝

╚═══╝ ╚═╝╚═════╝ ╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝

Security Scanner for AI-Generated Code

3 mistakes vibe coders actually make

You're shipping fast. These slip through.

Leaked a key

That AWS key in your config? It's been on GitHub for 3 hours.

VibeGuard catches hardcoded secrets before you push.

Pulled a risky dependency

npm install solved the problem. Also installed a known vulnerability.

VibeGuard flags deps with active security issues.

AI wrote a footgun

Copilot suggested it, you accepted it. Now there's an open redirect.

VibeGuard spots common AI-generated security mistakes.

60-second workflow

Scan. Review. Fix.

Install and scan

pip install vibeguard-cli && vibeguard scan .

One command. Runs 11 security tools under the hood.

See what matters

Score: 72/100 (Grade: C) - 3 findings

Noise suppressed. Only real problems surfaced.

Generate a fix

vibeguard patch && vibeguard apply

Get a diff you can review. No auto-changes.

vibeguard-patch.diff

@@ -12,7 +12,7 @@ config.py
- API_KEY = 'sk-live-abc123...'
+ API_KEY = os.environ.get('API_KEY')

@@ -45,6 +45,8 @@ requirements.txt
- pyyaml==5.3.1
+ pyyaml==6.0.1  # CVE-2020-14343 fixed

11 scanners. One command.

VibeGuard runs industry tools under the hood and merges results into a single report. You get signal, not noise.

Secrets

Hardcoded keys, tokens, passwords

Dependencies

Vulnerable packages in your lockfile

Code patterns

SQL injection, XSS, path traversal

Docker

Misconfigs in containers

IaC

Terraform/CloudFormation issues

Supply chain

Typosquatting, malicious deps

Python

AST-based security checks

JavaScript

npm/yarn vulnerability scan

Signal over noise

You don't need 500 warnings

Most security tools bury you in alerts. VibeGuard triages findings into what actually matters for your codebase.

Raw scanner output127 findings

After deduplication34 findings

After triage5 real problems

How triage works

Removes duplicates

Same issue from multiple scanners counted once

Filters false positives

Known noisy patterns suppressed automatically

Scores by severity

Critical issues surface first

Context-aware

Test code treated differently than production

No enterprise cosplay required

Works on your machine. Works in CI. Outputs industry-standard formats.

Runs locally

Your code never leaves your machine during scans. Reports stored locally. You choose what to export.

No cloud upload

Offline capable

CI-ready with SARIF

Output SARIF files and upload to GitHub Code Scanning. SARIF is a standard static analysis format supported by GitHub.

GitHub Actions

GitLab CI

Jenkins

For tech leads

Scale to your team

Running a small team without dedicated security? VibeGuard gives you repeatable checks without the enterprise overhead.

Baselines

Track legacy issues separately. Only fail builds on new findings. Work through tech debt without blocking current work.

Policy presets

Same rules for everyone. Define what's critical, what's warning, what's ignored. Consistency without meetings.

Shared configs

Commit .vibeguard.yml to your repo. New team members get the same setup automatically.

Scanning is free. Forever.

Pay when it saves you time. Pro unlocks diff-based fixes with your own LLM key, plus policy bundles for teams.

Questions you're probably asking

One command before you deploy

Install in 30 seconds. First scan is free. No account required. Your code stays on your machine.