VibeSec comes with a large library of built-in security rules tailored for modern JavaScript frameworks.
This page lists common rules and explains severity/matcher behavior. For a practical "what rules are available" view, run a scan and inspect ruleId values in the output (or use --output json).
Severity Levels
Every finding is assigned one of four severity levels:
- Critical: Immediate, high-impact security risk (e.g., hardcoded secrets, open execution).
- High: Serious risk that should be prioritized (e.g., insecure configuration, path traversal).
- Medium: Meaningful risk, often context-dependent (e.g., weak cryptography, XSS potential).
- Low: Best-practice issues and hardening opportunities.
Matcher Types
VibeSec uses declarative matchers to detect vulnerabilities without executing code.
- Regex: Matches a regular expression against file content within specific globs.
- File Presence: Checks for the existence of sensitive files (e.g.,
.env,.pem).
Common Rules: Next.js
The Next.js ruleset focuses on next.config.js settings, environment variable exposure, and common React security pitfalls.
| Rule ID | Severity | Title |
|---|---|---|
nextjs/typescript-ignore-build-errors | Critical | Build errors are ignored, potentially allowing unsafe code to ship. |
nextjs/next-public-secret-name | High | A NEXT_PUBLIC_ variable suggests a secret is exposed to the browser. |
nextjs/images-dangerously-allow-svg | High | SVGs enabled in next/image, which can increase XSS risk. |
nextjs/headers-cors-allow-origin-star | High | CORS allow-origin is set to *. |
nextjs/csp-unsafe-inline | High | Content Security Policy includes unsafe-inline. |
nextjs/eval | High | Use of eval() detected. |
Common Rules: Express
Covers middleware configuration, session management, and common Node.js security best practices.
| Rule ID | Severity | Title |
|---|---|---|
express/jwt-secret-hardcoded | Critical | A hardcoded JWT secret was detected. |
express/session-cookie-secure-false | High | Session cookies are configured without the secure flag. |
express/path-traversal-join | High | path.join usage with user input may enable path traversal. |
express/child-process-exec | High | child_process.exec usage may enable command injection. |
express/cors-wildcard-origin | High | CORS configured to allow any origin (*). |
express/helmet-disabled | Medium | helmet() middleware is not detected. |
Custom Rules
You can extend VibeSec with your own project-specific rules. Drop a YAML or JSON file in .vibesec/rules/ to have it automatically loaded.
- id: no-forbidden-package
severity: high
title: "Forbidden package detected"
matcher:
type: regex
fileGlobs:
- "package.json"
pattern: "\"forbidden-package\""
message: "The use of 'forbidden-package' is prohibited."For more details on building your own rules, see Configuration.