Diff-based fixes you can actually review
VibeGuard generates unified diffs for each finding. You review them. You apply them. No magic, no surprises.
This is a Pro feature. Scanning is free; patching requires a subscription.
Finding issues is easy. Fixing them is work.
A security scanner tells you "hardcoded secret on line 47 of config.py." Great. Now you need to:
- 1.Open the file and find line 47
- 2.Understand the context (what is this secret used for?)
- 3.Figure out the right fix (env var? secrets manager? config file?)
- 4.Write the fix and make sure it doesn't break anything
- 5.Repeat for every finding
Patch does steps 2-4 for you. You get a diff showing exactly what changed. You review it. You apply it.
What patch does
When you run vibeguard patch, VibeGuard takes each finding and generates a unified diff that fixes the issue.
The diff is saved locally. You review it like any code change. Then you decide whether to apply it.
@@ -12,7 +12,7 @@ config.py
- API_KEY = 'sk-live-abc123xyz789'
+ API_KEY = os.environ.get('API_KEY')
@@ -1,4 +1,5 @@
+ import os
from flask import Flask
BYOK: Bring Your Own Key
Patch generation uses your LLM provider. You control the model, the key, and the cost.
You choose the model
OpenAI (GPT-4, GPT-4o), Anthropic (Claude), or any OpenAI-compatible provider. Pick what works for your use case and budget.
You provide your key
Your API key stays on your machine, used directly by VibeGuard. We never see it, store it, or transmit it through our servers.
You pay the provider
Token costs go directly to OpenAI/Anthropic/etc. Typical patch costs $0.01-0.10. We charge for Pro features, not LLM usage.
We handle orchestration
Prompting, diff generation, validation, and safety checks are our job. You get a clean diff without prompt engineering.
What gets sent to the LLM
Sent to your LLM
- • The code snippet with the finding (10-50 lines)
- • The finding message and severity
- • The file path within your project
- • Instructions for generating a minimal fix
NOT sent
- • Your full repository
- • Other unrelated files
- • Your git history
- • Environment variables or .env contents
- • Anything to VibeGuard's servers
Safety rules
Every generated patch follows these constraints:
Minimal diff
Changes only what's necessary to fix the finding. No drive-by refactoring, no 'improvements' you didn't ask for.
No new deps unless necessary
Won't add packages to fix simple issues. Prefers stdlib solutions. If a dep is needed, it's flagged for review.
Manual review markers
Adds comments like '# REVIEW: verify this change' when the fix is uncertain or might affect behavior.
The apply workflow
After reviewing the diff, run vibeguard apply to apply it safely:
Git safety check
Verifies you have a clean working tree and the file hasn't changed since the scan.
Dry-run preview
Shows exactly what will change before applying. Abort if it looks wrong.
Apply patch
Applies the diff using standard patch tooling. Creates a backup automatically.
Revert if needed
Run `vibeguard apply --revert` to undo the last applied patch instantly.
Bulk patching
Got 20 findings? You don't have to patch them one by one.
Patch by severity
vibeguard patch --severity critical,highOnly patch critical and high severity findings.
Patch all
vibeguard patch --allGenerate diffs for every finding. Review them all, apply what makes sense.
Pro tip: Start with critical/high findings. Get those fixed and merged first. Then tackle medium/low findings in a separate PR.
Team workflow
For teams, the patch workflow fits naturally into your existing process:
Patches are just diffs. They can be reviewed, discussed, and modified like any other code change. No special tooling required.