VibeSec is built with a “safe by design” philosophy. It analyzes your repository without building or executing it.
Static analysis only
VibeSec never runs your source code, scripts, or build pipelines. It inspects files and applies rules against what it can see in the repository.
Zero execution
Because VibeSec never executes repo code, it’s safe to run against untrusted repositories or in locked-down CI environments.
Local-first
OSS scans run on your machine. No source code is uploaded during a scan.
How it works (high level)
- Passive scanning: Parse files and look for risky patterns.
- Framework awareness: Use framework context (e.g. Next.js, SvelteKit, Astro, Express) so findings are relevant.
- Declarative rules: Checks are declarative and pattern-based.