This page is a complete reference for the vibesec CLI.
Command
vibesec scan [path]
Scan a directory for security findings.
- Default path:
. - Default framework:
auto(detect) - Default output:
cli
bash
# Scan current directory
vibesec scan .
# Force a framework
vibesec scan . --framework nextjs
# Run in CI and fail on high+
vibesec scan . --fail-on highOptions
| Flag | Default | Notes |
|---|---|---|
--framework <name> | auto | auto or comma-separated: nextjs,react-native,expo,express,sveltekit,astro |
--fail-on <severity> | high | Exit non-zero when a finding is at or above: low,medium,high,critical |
--output <format> | cli | cli, json, sarif, html |
--out-file <path> | (none) | Write output to a file instead of stdout |
--config <path> | (none) | Use a specific config file (otherwise .vibesec.yaml / .vibesec.yml) |
--rules-dir <path> | (none) | Custom rules directory (default is .vibesec/rules) |
--write-baseline [path] | (none) | Write a baseline file (defaults to .vibesec.baseline.yaml in scan root) |
--no-color | (enabled) | Disable ANSI colors for --output cli |
Output formats
bash
# JSON for tooling
vibesec scan . --output json --out-file vibesec.json
# SARIF for GitHub Code Scanning
vibesec scan . --output sarif --out-file vibesec.sarif
# Self-contained HTML report
vibesec scan . --output html --out-file report.htmlExit codes
VibeSec uses exit codes so it can gate CI pipelines:
0: Scan completed and no findings met the--fail-onthreshold.1: Scan completed and at least one finding met the--fail-onthreshold.2: The CLI failed (invalid config, unexpected error, etc).
Color control
--output cli uses colors when printing to a TTY. Colors are disabled automatically when:
- writing to
--out-file - stdout is not a TTY
TERM=dumb
You can also disable colors explicitly:
vibesec scan . --no-color- or set
NO_COLOR=1in your environment