How it works

From command to fix,
step by step

Here's exactly what happens when you run vibeguard scan .

No magic. No black boxes. Just a straightforward pipeline that turns your code into a prioritized list of things to fix.

The pipeline

Six stages transform your codebase into actionable security insights. Each stage has one job, and does it well.

Step 1

Scan

Run 11 security tools against your codebase. Secrets, dependencies, code patterns, IaC configs - all checked in one command.

Step 2

Normalize

Convert outputs from different tools into a consistent format. Every finding gets the same structure, regardless of which scanner found it.

Step 3

Triage

Suppress noise, deduplicate, and surface only findings that matter. This is where 500 warnings become 5 real problems.

Step 4

Report

Generate a score (0-100), a grade (A-F), and output in your format of choice: terminal, JSON, HTML, or SARIF.

Step 5

Patch

Generate a unified diff for each finding using your LLM provider. The diff is saved locally for you to review before anything changes.

Step 6

Apply

Apply the diff with git safety checks. Dry-run first, revert if needed. No auto-merges, no surprise commits.

What is a "finding"?

A finding is when a scanner detected something worth your attention: a risky pattern, a vulnerable dependency, a misconfiguration, or an exposed secret.

Every finding includes the same information, no matter which tool discovered it:

Location

File path and line number

Severity

Critical, High, Medium, or Low

Description

Plain-English explanation of the issue

Source

Which scanner found it

Examples of findings

Secret
critical

AWS access key hardcoded in config.py

Dependency
high

pyyaml 5.3.1 has a known deserialization bug

Code Pattern
high

SQL query built with string concatenation

Misconfiguration
medium

Dockerfile runs as root user

What is a "scanner"?

A scanner is a specialized tool that looks for one type of problem. VibeGuard runs 11 of them and combines their results.

Secrets

Tools: Gitleaks, TruffleHog

API keys, passwords, tokens in your code

Dependencies

Tools: Trivy, npm-audit, pip-audit, cargo-audit

Packages with known vulnerabilities

Code Patterns

Tools: Semgrep, Bandit

Dangerous code patterns like SQL injection, XSS

Infrastructure

Tools: Checkov, Dockle

Misconfigurations in Terraform, Docker, K8s

VibeGuard auto-detects which scanners to run based on your project files.

How triage works

Running 11 scanners can produce hundreds of results. Triage filters that down to what actually matters.

You don't need 500 warnings.

You need 5 real problems.

What triage does:

Deduplicates: If three scanners find the same secret, you see it once.
Suppresses noise: Low-confidence findings and known false positives get filtered out.
Prioritizes: Critical findings (like exposed secrets) rise to the top.
Respects baselines: If you've marked something as 'accepted risk,' it won't keep nagging you.

Understanding your score

Every scan produces a score from 0-100 and a letter grade. Here's what they mean.

Numeric Score (0-100)

Starts at 100. Each finding subtracts points based on severity:

  • Critical finding-25 points
  • High finding-15 points
  • Medium finding-5 points
  • Low finding-1 point

Letter Grade (A-F)

Quick shorthand for overall security posture:

  • A (90-100)Looking good
  • B (80-89)Minor issues
  • C (70-79)Needs attention
  • D (60-69)Significant issues
  • F (<60)Critical problems

Why SARIF exists

SARIF (Static Analysis Results Interchange Format) is a standard file format for static analysis output.

Think of it as a universal language that all security tools can speak.

Why it matters for you:

GitHub supports uploading SARIF files from third-party tools. When you export SARIF from VibeGuard and upload it, your findings appear in GitHub's Security tab alongside native CodeQL results.

SARIF Specification (OASIS)GitHub SARIF Upload Docs

What "patch" does

The patch command generates a fix for each finding. But it doesn't change anything automatically - that's by design.

What it does

  • Generates a unified diff you can review
  • Uses your LLM provider with your API key
  • Validates the diff syntax before saving
  • Adds "manual review required" markers when uncertain

What it doesn't do

  • Does not auto-merge or auto-commit
  • Does not open pull requests
  • Does not run tests automatically
  • Does not change your files without explicit apply
Example: finding-001.diff
@@ -12,7 +12,7 @@ config.py
- API_KEY = 'sk-live-abc123xyz789'
+ API_KEY = os.environ.get('API_KEY')

@@ -1,4 +1,5 @@
+ import os
  from flask import Flask

What "apply" does

Once you've reviewed a patch, the apply command puts it into action - with safety checks at every step.

1

Git safety check

Verifies you have a clean working tree and the file hasn't changed since the scan.

2

Dry-run preview

Shows exactly what will change before applying. You can abort here if something looks wrong.

3

Apply patch

Applies the diff using standard patch tooling. Creates a backup automatically.

4

Verification

Confirms the patch was applied correctly. If not, suggests next steps.

Need to undo? Run vibeguard apply --revert to roll back the last applied patch.

What stays local vs what leaves

We designed VibeGuard with a simple principle: minimize what moves off your machine.

Stays on your machine

  • All scanner execution and analysis
  • Your source code (never transmitted)
  • Reports (JSON, HTML, SARIF)
  • Baselines and configurations
  • Generated diffs
  • Apply operations and git checks

Leaves your machine (when you choose)

  • When you run patch: Minimal code context sent to your chosen LLM provider
  • When you upload SARIF: Finding metadata (not source code) goes to GitHub
  • Pro license check: Your license key is validated with our server

See it in action

Install VibeGuard and run your first scan in under a minute. No account required.

pip install vibeguard-cli