security
VibeSec

Configuration

VibeSec is designed to be zero-config, but you can fine-tune its behavior using a configuration file in your repository root.

Config File

VibeSec looks for any of these files in the directory being scanned:

  • .vibesec.yaml
  • .vibesec.yml

You can also provide an explicit configuration path using the --config flag:

bash
vibesec scan . --config path/to/my-config.yaml

Ignoring Findings

You can ignore specific rules or individual findings by adding them to the ignore list in your config.

Ignore by Rule ID

To suppress a rule globally or within specific directories:

yaml
ignore:
  # Ignore a rule project-wide
  - rule: nextjs/react-strict-mode-disabled
    reason: intentional for this project

  # Ignore only in specific paths
  - rule: express/sql-string-concat
    paths:
      - "tests/**"
      - "scripts/**"
    reason: accepted risk in non-production code

Ignore by Fingerprint

Every VibeSec finding has a unique, stable fingerprint. This allows you to ignore a single instance of a vulnerability without suppressing the rule project-wide.

yaml
ignore:
  - finding: "a2b3c4d5e6f7g8h9i0j1"
    reason: false positive confirmed after manual review

Baselines

If you are introducing VibeSec to an existing codebase, you may have a large number of legacy findings. You can "baseline" these existing issues to focus on new security debt.

bash
vibesec scan . --write-baseline

This creates a .vibesec.baseline.yaml file containing fingerprints for all current findings. Subsequent scans will ignore these issues unless the baseline file is removed or updated.

Custom Rules

Custom rules allow you to enforce project-specific security standards. By default, VibeSec loads rules from .vibesec/rules/*.{yaml,json}.

Rule Schema

Each custom rule must follow this structure:

FieldTypeDescription
idstringA unique identifier for the rule.
severitystringOne of critical, high, medium, or low.
titlestringA short, descriptive title.
matcherobjectThe logic for detecting the vulnerability.

Matcher Types

1. Regex Matcher

Matches a regular expression against file content.

yaml
- id: security/no-todo
  severity: low
  title: "Security TODO found"
  matcher:
    type: regex
    fileGlobs: ["**/*.ts", "**/*.tsx"]
    pattern: "//\s*TODO:\s*security"
    message: "Found an unresolved security task"

2. File Presence Matcher

Checks for the existence of files matching specific patterns.

yaml
- id: security/no-committed-env
severity: critical
title: ".env file committed"
matcher:
  type: file_presence
  paths: [".env", ".env.*"]
  # Optional: ignore template files that are meant to be committed
  excludePaths: [".env.example"]
  # Optional: only match files tracked by git (avoids local .env false positives)
  trackedOnly: true
  message: "Environment file tracked by git"