Documentation

VibeGuard Docs

Everything you need to scan, triage, and fix security issues. Time to first successful scan: under 5 minutes.

pip install vibeguard-cli

Quick Start

1. Install

pip install vibeguard-cli

2. Run your first scan

vibeguard scan .

3. See the report

vibeguard report --format html

Documentation sections

Pick a topic or scroll down for the full reference.

Getting Started

Install VibeGuard and run your first scan

Commands

Reference for all CLI commands

CI Integration

Set up VibeGuard in your pipeline

Concepts

Understand how VibeGuard works

Installation

Requirements

  • • Python 3.9 or higher
  • • pip (Python package manager)
  • • Git (for baseline features)

Install with pip

pip install vibeguard-cli

Verify installation

vibeguard --version

Check scanner availability

vibeguard doctor

This checks which scanners are available on your system and suggests how to install any missing ones.

macOS

Works out of the box. Some scanners may need Homebrew packages.

Linux

Works on most distributions. Docker recommended for container scanning.

Windows

Requires Python from python.org. WSL recommended for best experience.

vibeguard scan

What it does

Runs all applicable security scanners against your codebase and outputs a unified report with scores and findings.

When to use it

  • • Before committing new code
  • • In CI pipelines to gate merges
  • • After pulling in AI-generated code

Examples

vibeguard scan .

Scan current directory

vibeguard scan . --format sarif --output results.sarif

Output SARIF for GitHub Code Scanning

vibeguard scan . --baseline

Compare against existing baseline (only show new findings)

vibeguard scan . --scanners secrets,deps

Run only specific scanners

Output formats

Terminal (default)
JSON
HTML
SARIF

vibeguard patch & apply

vibeguard patch

Generates a unified diff that fixes the findings from your last scan. Requires a Pro license and an LLM API key.

vibeguard patchvibeguard patch --model gpt-4ovibeguard patch --finding-id VG-001

vibeguard apply

Applies the generated patch to your codebase. Includes safety checks: verifies git status, creates backup, runs validation.

vibeguard applyvibeguard apply --dry-run

Note: Patch and apply are Pro features. You bring your own LLM key (OpenAI, Anthropic, etc.) and pay the provider directly. We don't mark up API costs.

vibeguard baseline

What it does

Manages your baseline - a snapshot of known findings that you can track separately from new issues. Essential for adopting VibeGuard on existing codebases.

Commands

vibeguard baseline create

Snapshot current findings as the baseline

vibeguard baseline show

Show what's in the current baseline

vibeguard baseline update

Update baseline after fixing issues

vibeguard baseline clear

Remove the baseline file

Concepts

What is a "finding"?

A finding is a potential security issue detected by one of VibeGuard's scanners. It could be a hardcoded secret, a vulnerable dependency, a risky code pattern, or a misconfiguration.

Each finding includes:

  • Severity: Critical, High, Medium, Low
  • Location: File path and line number
  • Description: What was found
  • Source: Which scanner detected it
  • Recommendation: How to fix it

What is a "baseline"?

A baseline is a snapshot of findings at a point in time. When you scan with --baseline, VibeGuard only reports findings not in the baseline - so you see new issues, not legacy ones.

Use baselines when adopting VibeGuard on an existing codebase. You can track legacy issues separately while ensuring new code doesn't introduce more problems.

What is "SARIF"?

SARIF (Static Analysis Results Interchange Format) is a standard JSON format for static analysis output. It's supported by GitHub, Azure DevOps, and other platforms.

When you output SARIF with --format sarif, you can upload the results to GitHub Code Scanning. Findings appear in the Security tab and as inline comments on PRs.

Learn more about GitHub SARIF support →

Troubleshooting

vibeguard: command not found

Make sure your Python scripts directory is in your PATH. On Windows, you may need to restart your terminal. Try running with python -m vibeguard scan . instead.

Scanner X is not available

Run vibeguard doctor to see which scanners are missing and how to install them. Some scanners require additional system dependencies.

Scan is very slow

Try excluding large directories with --exclude node_modules,dist,.git. You can also run specific scanners with --scanners secrets,deps instead of all 11.

SARIF upload fails

Make sure you're using --format sarif (not --format json). Check that the file path in your GitHub Action matches the --output path.

Patch generates incorrect fix

Patches are AI-generated and should always be reviewed. You can regenerate with a different model using --model, or manually edit the diff file before applying.

Need help?

Can't find what you're looking for? Check the GitHub repo for issues and discussions, or reach out directly.

Report an issueAsk a questionEmail support