Security terms, explained
Plain-English definitions for security jargon. No gatekeeping, no acronym soup.
API Key
A secret token used to authenticate requests to an API. If exposed in your code, attackers can use it to access services on your behalf. VibeGuard scans for hardcoded API keys.
Baseline
A snapshot of existing security findings in your codebase. With a baseline set, VibeGuard only alerts you to new issues, making it easier to adopt on legacy projects.
BYOK (Bring Your Own Key)
A model where you provide your own API key for a service. In VibeGuard, BYOK patching means you use your own LLM provider API key - your code goes to your provider, not to VibeGuard.
CI/CD
Continuous Integration / Continuous Deployment. Automated pipelines that build, test, and deploy your code. VibeGuard integrates into CI/CD to catch issues before they reach production.
CVE
Common Vulnerabilities and Exposures. A standardized identifier for publicly known security vulnerabilities (e.g., CVE-2021-44228 for Log4Shell). VibeGuard's dependency scanner checks for known CVEs.
Dependency
External code your project relies on (npm packages, pip packages, etc.). Dependencies can contain vulnerabilities that affect your application.
Diff
A unified diff shows the difference between two versions of a file. VibeGuard's patch feature generates diffs that you can review and apply to fix vulnerabilities.
Finding
A security issue detected by a scanner. VibeGuard triages findings to prioritize actionable issues over noise.
GitHub Actions
GitHub's CI/CD platform. VibeGuard provides a workflow that runs scans and uploads SARIF results to GitHub Code Scanning.
Hardcoded Secret
A password, API key, or token written directly in source code instead of using environment variables or a secrets manager. This is dangerous because secrets in code can be leaked in version control.
Injection
A vulnerability where untrusted data is sent to an interpreter as part of a command. SQL injection, command injection, and XSS are common types. VibeGuard scans for injection patterns.
LLM (Large Language Model)
AI models like GPT-4 or Claude that can generate text and code. VibeGuard uses LLMs (via BYOK) to generate patches for detected vulnerabilities.
Patch
A code change that fixes a vulnerability. VibeGuard Pro generates patches as unified diffs that you review before applying.
SARIF
Static Analysis Results Interchange Format. A standard JSON format for static analysis tool outputs. VibeGuard outputs SARIF files that can be uploaded to GitHub Code Scanning.
SAST
Static Application Security Testing. Analyzing source code for vulnerabilities without executing it. VibeGuard includes SAST capabilities among its 11 scanners.
SCA
Software Composition Analysis. Scanning dependencies for known vulnerabilities. VibeGuard's dependency scanner performs SCA.
Secret
Sensitive information like passwords, API keys, tokens, or certificates. VibeGuard scans for secrets that shouldn't be in your codebase.
Severity
How serious a finding is. Typically: critical, high, medium, low, info. VibeGuard lets you filter and fail builds based on severity thresholds.
SQL Injection
An injection attack where malicious SQL is inserted into a query. If your app builds SQL queries from user input without proper sanitization, it's vulnerable.
Triage
The process of sorting and prioritizing findings. VibeGuard's triage system filters false positives and surfaces the issues that matter most.
Vibe Coding
Building with AI assistants (Cursor, Copilot, Claude) and iterating quickly without deeply reviewing every line. VibeGuard acts as a sanity check for vibe-coded projects.
XSS
Cross-Site Scripting. A vulnerability where attackers inject malicious scripts into web pages viewed by other users. VibeGuard scans for XSS patterns.