security
VibeSec

Technical Specifications

Framework-aware security scanning that starts with JavaScript/TypeScript. It runs where you work, speaks your language, and never uploads your source code.

We built VibeSec because code is shipping faster than ever, especially with AI-assisted development and automated review workflows. Our mission is to catch framework-specific security problems early, so teams can move fast without breaking safety.

The CLI Engine

A local-first static analysis CLI built on Node.js. Installs quickly and runs where you work.

Installation

npm install -g @reliabilityworks/vibesec

Scan Command

Scan the current directory or a specific path.

vibesec scan .

Output Formats

Native support for multiple output formats for easy integration.

--output cli--output json--output sarif--output html
bash
$ vibesec scan .
✔ Scanning 142 files...
✔ Found 0 vulnerabilities.

# Export to SARIF for GitHub
$ vibesec scan . --output sarif --out-file results.sarif

Framework Aware

Automatically detects and adapts to your project structure.

VibeSec understands the nuances of modern JS frameworks. It knows that a file inpages/api is different from a component in src/components.

Supported Detectors

autonextjsastrosveltekitexpressreact-nativeexpo

CI/CD Integration

Gate your builds with zero friction. First-class GitHub Actions support.

Block PRs based on severity thresholds using the --fail-on flag or use our dedicated GitHub Action.

.github/workflows/security.yml
- uses: Reliability-Works/vibesec@v1
  with:
    path: .
    framework: auto
    output: sarif
    out-file: vibesec.sarif
    fail-on: high

- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: vibesec.sarif
SARIF Upload Ready

Configuration & Baselines

Declarative configuration that lives in your repo.

Config File

Configure ignores in .vibesec.yaml (or .vibesec.yml).

Baselines

Suppress existing issues to focus on new code.

vibesec scan . --write-baseline

Creates .vibesec.baseline.yaml

Custom Rules

Write your own security rules using simple YAML or JSON.

Drop rule files into .vibesec/rules or specify a custom directory with --rules-dir.

custom-rule.yaml
- id: no-eval
  severity: critical
  title: "Avoid eval"
  matcher:
    type: regex
    fileGlobs:
      - "**/*.{js,jsx,ts,tsx}"
    pattern: "eval\("
    message: "Avoid using eval()"

Safety Model

Designed for trust and privacy.

  • Passive Scanning: Never executes your repository code.
  • Local First: Analysis happens on your machine or CI runner. Source code never leaves your environment.
  • Zero-Config: Safe defaults out of the box.

Coming Soon

We are building a hosted platform to complement the CLI, plus more languages & frameworks.

Hosted Dashboard

Centralized view of security posture across all repos.

SSO & IAM

Enterprise-grade access control and team management.

Compliance Reports

Audit-friendly reports and SOC2-style evidence bundles.

Join the Waitlist