About

Built for people shipping fast with AI

VibeGuard exists because AI writes code faster than humans can review it. That gap needs a seatbelt, not a seatbelt salesperson.

Why this exists

We've all been there. You're building fast with Cursor or Copilot. The code works. You ship it. Three days later, someone finds an exposed API key in your config or a dependency with a known vulnerability.

Traditional security tools weren't built for this workflow. They assume you have time for long scans, complex dashboards, and detailed triage. But when you're iterating with AI every few minutes, that model breaks down.

We wanted something simpler. One command that runs locally, tells you what matters, and offers a fix you can review. No cloud uploads. No "schedule a demo" buttons. No enterprise sales cycle for a solo developer.

VibeGuard is what we built because we needed it ourselves.

Who we built this for

Two kinds of people kept coming up when we designed VibeGuard.

The builder under deadline

Shipping weekly with Cursor, Copilot, or Claude. Accepts AI code fast, moves to the next feature. Doesn't think in vulnerabilities - thinks in "what did I miss before deploy?"

Motivated by avoiding embarrassment: leaked keys, insecure auth, bad dependencies.

The tech lead without AppSec

2 to 10 devs, no dedicated security person. Needs repeatable checks in CI, baselines across releases, and a sane workflow that doesn't require a security degree.

Will pay for speed: fixes as reviewable diffs, consistent policy presets, shared baselines.

What we believe

These aren't marketing slogans. They're constraints we build within.

Local-first

Your code is sensitive. Scans should run on your machine, not in someone else's cloud. We minimize what leaves your laptop.

Minimal data movement

The less that moves, the less that can leak. We designed VibeGuard to work with almost no network calls during scanning.

Reviewable fixes

Auto-fixes that merge without review are scary. We generate diffs you can read, understand, and approve before applying.

What we don't do

Being clear about boundaries matters more than feature lists.

No cloud scanning

We never upload your code to our servers. Scans run entirely on your machine or CI runner.

No auto-merge PRs

We generate diffs. We don't open PRs, merge them, or run your tests. That's your workflow to control.

No dashboards (yet)

We don't have a web portal with charts and trends. If that matters to you, we're probably not the right fit today.

No runtime protection

VibeGuard is a static analysis tool. We scan code before deploy, not monitor running applications.

No penetration testing

We don't probe your live systems. We look at source code and dependencies.

No compliance certifications

We're not SOC 2 certified. If you need that checkbox, we're not there yet.

Trade-offs we made

Every design choice has a cost. Here's what we traded and why.

Local scanning means no centralized view

We chose privacy over convenience. You can aggregate results yourself using SARIF exports, but we don't store your findings on our servers.

BYOK patching means you manage LLM costs

We don't mark up API calls or lock you into a specific model. You bring your key, you pay the provider directly, you control the relationship.

CLI-first means no GUI for everything

We prioritized composability over discoverability. The CLI works in scripts, CI, and terminals. A GUI might come later, but the CLI will always be first-class.

Opinionated triage means fewer knobs

We score and filter findings using built-in rules. You can't customize every threshold. The upside: you get signal, not noise, without configuration.

Reviewable diffs mean slower fixes

We could auto-apply patches, but that's dangerous. Review takes time, but it's time well spent when you're changing security-sensitive code.

Where we are

Clear separation between what exists and what we're working toward.

What VibeGuard does today

  • • 11 security scanners, one command
  • • Local-first scanning (no cloud upload)
  • • Unified scoring and triage
  • • JSON, HTML, and SARIF reports
  • • SARIF upload to GitHub Code Scanning
  • • Baseline comparison for CI
  • • BYOK patching with diff generation
  • • Safe apply workflow with git checks
  • • Works on Windows, macOS, Linux
  • • Free tier with full scanning

On the roadmap

  • • Team shared baselines
  • • Custom policy presets
  • • IDE extensions (VS Code, JetBrains)
  • • More language-specific scanners
  • • Correlation and confidence scoring
  • • Air-gapped enterprise deployments
  • • GitLab and Azure DevOps integrations
  • • Offline mode improvements

Roadmap items are not commitments. Priorities shift based on user feedback and what we learn from production use.

How we work

Changelog over press releases

We ship updates and document them in the changelog. You'll know what changed, why it matters, and how to upgrade. That's more useful than a blog post full of buzzwords.

Feedback shapes priority

We read every piece of feedback. Feature requests, frustrations, bug reports - all of it goes into how we prioritize work. If something's broken for you, tell us.

No dark patterns

The free tier works forever. We don't hide features behind "contact sales" buttons. If you cancel Pro, you keep scanning. We want users, not hostages.

Small team, fast decisions

We're a small team. That means we can ship fast, respond to feedback quickly, and change direction when we learn something new. It also means we have to stay focused.

Get in touch

Bug reports

Something broken? Open an issue on GitHub with steps to reproduce.

GitHub Issues

Feature requests

Want something that doesn't exist? Start a discussion. We're listening.

GitHub Discussions

Everything else

Questions, partnerships, press, or just want to say hi.

hello@vibeguard.dev

Try it yourself

No account needed. Install and run your first scan in under a minute.

pip install vibeguard-cli