Troubleshooting

Having trouble with VibeSec? Here are some common issues and how to resolve them.

Installation Issues

"Command not found: vibesec"

If you've installed VibeSec globally but the command isn't recognized, ensure your npm global binaries directory is in your PATH.

# Check npm global bin path
npm config get prefix

# Add to PATH (example for macOS/Linux)
export PATH=$PATH:$(npm config get prefix)/bin

Scan Issues

Local .env files are flagged

VibeSec only flags .env files when they are tracked by git (committed or otherwise tracked). Local .env / .env.local files that exist on disk but are not tracked should not trigger findings.

If you still see a .env finding:

1. Check whether it is tracked: git ls-files .env .env.local
2. If needed, remove it from git tracking and rotate secrets.

No color / strange terminal output

If your terminal does not render colors cleanly, disable ANSI colors:

• vibesec scan . --no-color
• or set NO_COLOR=1

Framework not detected

VibeSec uses a combination of package.json dependencies and file structure to detect frameworks. If your framework isn't detected:

1. Ensure you are running the command from the project root.
2. Manually specify the framework using --framework (e.g. auto,nextjs,astro,sveltekit,express,react-native,expo).

vibesec scan . --framework nextjs

Missing findings

If you expect to see findings but none are reported:

1. Check if the files are ignored in .gitignore or .vibesec.yaml.
2. Ensure you are using the correct severity threshold. By default, VibeSec reports all findings, but your configuration might be filtering them.

CI/CD Issues

GitHub Action fails to upload SARIF

Ensure your repository has GitHub Advanced Security enabled if you are using a private repository. For public repositories, this feature is available for free.

Check that the out-file in your GitHub Action matches the sarif_file path in the upload step.