VibeSec

Integrating VibeSec into your CI/CD pipeline is the best way to ensure that security regressions never reach production. VibeSec is designed to be lightweight and fast, making it ideal for gating pull requests.

GitHub Actions

VibeSec provides an official GitHub Action. We recommend emitting results in SARIF format and uploading them to GitHub Code Scanning.

Basic Workflow

yaml

name: Security Scan
on:
  pull_request:

jobs:
  vibesec:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run VibeSec
        uses: Reliability-Works/vibesec@v1
        with:
          path: .
          fail-on: high
          output: sarif
          out-file: vibesec.sarif

      - name: Upload results to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: vibesec.sarif

Action Inputs

Input	Default	Description
`path`	`.`	Directory to scan.
`framework`	`auto`	Framework to use (`nextjs`, `express`, etc).
`fail-on`	`low`	Severity that triggers a non-zero exit code.
`output`	`cli`	Format of the results (`cli`, `sarif`, `json`, `html`).
`config`	`""`	Path to a custom `.vibesec.yaml`.

Failing the Build

The fail-on flag (or fail-on input in GitHub Actions) determines the threshold at which the scan should be considered a failure.

critical: Only fail if critical vulnerabilities are found.
high: Fail on high or critical vulnerabilities.
medium: Fail on medium, high, or critical vulnerabilities.
low: Fail if any vulnerabilities are found (default).

Best Practices

1. Start with high severity

When introducing VibeSec to a large legacy project, consider setting fail-on: high initially and using Baselines to manage existing debt without blocking immediate progress.

2. Use SARIF for visibility

By uploading SARIF to GitHub, developers can see security findings directly in the "Checks" or "Files Changed" tab of their Pull Request. This significantly improves the developer feedback loop.

3. Scan on every push

While we recommend gating PRs, running VibeSec on every push to your main branch ensures that any bypasses or direct commits are also captured.

Version pinning

For GitHub Actions we recommend using the moving major tag:

Reliability-Works/vibesec@v1 (tracks the latest stable 1.x)

If you need fully reproducible builds:

pin to a specific tag like Reliability-Works/vibesec@v1.0.2, or
pin to a commit SHA

Other CI Platforms

Because VibeSec is a standard Node.js CLI, it can run on any CI platform (GitLab CI, Jenkins, Bitbucket Pipelines, etc).

bash

# In your CI script
npm install -g @reliabilityworks/vibesec
vibesec scan . --fail-on high --output json --out-file report.json

CI/CD integration