30-point security audit for AI-generated code. One command. CI/CD ready.
AI coding tools (Cursor, Copilot, Claude Code, v0, Bolt) ship code with 2x more vulnerabilities than human-written code. This tool catches them before you deploy.
$ bash audit.sh ./my-app
==========================================
VIBESHIELD AUDIT v2.0
Project: ./my-app
==========================================
[1/30] Hardcoded secrets ✓ OK
[L1] gitleaks CRITICAL: 3 secret-pattern matches
[2/30] Rate limiting CRITICAL: No rate limiting found
[3/30] SQL injection ✓ OK
[4/30] CORS configuration CRITICAL: cors() unconfigured
[5/30] XSS — dangerous DOM sinks CRITICAL: dangerouslySetInnerHTML
...
==========================================
AUDIT SUMMARY
==========================================
CRITICAL: 4
HIGH: 2
MEDIUM: 1
DEPLOY BLOCKED — fix all CRITICAL issues first
# one-liner audit
bash <(curl -fsSL https://raw.githubusercontent.com/Luigi08001/vibe-code-security/main/scripts/audit.sh) ./your-project
# or clone
git clone https://github.com/Luigi08001/vibe-code-security.git
bash vibeshield/scripts/audit.sh ./your-project| # | Check |
|---|---|
| 1 | Hardcoded secrets (Stripe, AWS, GitHub, SendGrid, PEM keys) |
| 2 | Missing rate limiting |
| 3 | SQL injection (string concat + template literals) |
| 4 | CORS wildcard / unconfigured / origin reflection |
| 5 | XSS — dangerous DOM sinks without sanitization |
| 6 | Command injection (exec/spawn with user input) |
| 7 | SSRF — server-side requests with user-controlled URLs |
| 8 | Path traversal (fs operations with req.params) |
| 9 | API routes without server-side auth |
| 10 | .env leaked in git history |
| 11 | Sensitive routes missing auth middleware |
| 12 | IDOR — no ownership validation on parameterized routes |
| # | Check |
|---|---|
| 13 | CSRF protection missing |
| 14 | JWTs stored in localStorage |
| 15 | Weak JWT secret (< 32 chars) |
| 16 | Stack traces exposed in API responses |
| 17 | Tokens without expiry |
| 18 | Docker container running as root |
| 19 | Database port exposed publicly |
| 20 | Sessions not invalidated on logout |
| 21 | Open redirects without URL validation |
| 22 | Missing security headers (no helmet/CSP/HSTS) |
| 23 | Insecure cookies (missing httpOnly/secure/sameSite) |
| 24 | Mass assignment (raw req.body to ORM) |
| # | Check |
|---|---|
| 25 | File uploads without MIME validation |
| 26 | Weak password hashing (MD5/SHA1 for passwords) |
| 27 | npm audit vulnerabilities |
| 28 | .env not in .gitignore |
| 29 | No lockfile (non-deterministic deps) |
| 30 | Zero security packages in package.json |
# Standard audit
bash audit.sh ./project
# CI/CD mode — no colors, clean output for logs
bash audit.sh ./project --ci
# Generate autofix plan
bash audit.sh ./project --fix
# Creates: ./project/.vibe-security-autofix.sh
# Review, then: bash ./project/.vibe-security-autofix.sh
# JSON output (structured, machine-readable)
bash audit.sh ./project --json
# SARIF output to stdout (GitHub Code Scanning format)
bash audit.sh ./project --sarif
# SARIF output to file
bash audit.sh ./project --sarif-file results.sarif
# Markdown report
bash audit.sh ./project --report
--sarifand--jsonare mutually exclusive.
VibeShield can output SARIF 2.1.0 — the standard format for static analysis tools. This lets findings appear directly in GitHub's Security tab alongside CodeQL and other scanners.
Every finding is mapped to a SARIF rule with a stable ID:
| Check range | SARIF Rule IDs | SARIF Level |
|---|---|---|
| CRITICAL (#1-12) | VCS001-VCS012 |
error |
| HIGH (#13-24) | VCS013-VCS024 |
warning |
| MEDIUM (#25-30) | VCS025-VCS030 |
note |
| Framework checks | VCS-FW-001+ |
varies |
| External scanners | VCS-EXT-001+ |
varies |
Findings include file paths and line numbers when available, so GitHub can annotate the exact lines in your code.
The easiest way to get findings into your Security tab:
# .github/workflows/security.yml
name: Security Audit
on: [pull_request]
permissions:
contents: read
security-events: write
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Luigi08001/vibe-code-security@main
with:
upload-sarif: 'true'This runs the audit, generates a SARIF file, and uploads it to GitHub Code Scanning. Findings appear:
- In the Security > Code scanning alerts tab
- As inline annotations on pull request diffs
- With severity levels matching the check priority
If you're not using the action, generate SARIF and upload manually:
steps:
- uses: actions/checkout@v4
- name: Run audit
run: bash audit.sh . --sarif-file results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: vibeshield# Output to stdout (pipe to jq, upload tools, etc.)
bash audit.sh ./project --sarif | jq .
# Save to file
bash audit.sh ./project --sarif-file audit.sarif
# Validate with sarif-tools (optional)
pip install sarif-tools
sarif summary audit.sarifThe script auto-detects and uses these tools if installed:
| Tool | What it adds | Install |
|---|---|---|
| gitleaks | 800+ secret patterns (AWS, GCP, Slack, etc.) | brew install gitleaks |
| semgrep | 2000+ SAST rules (OWASP Top 10, etc.) | pip install semgrep |
If not installed, the script uses its built-in grep patterns and continues normally.
Drop SKILL.md into your agent's skill directory:
cp SKILL.md ~/.claude/skills/vibeshield.md
# Claude Code now auto-runs security checks when you ship codecp -r . ~/.openclaw/workspace/skills/vibeshield/
# OpenClaw picks it up automatically# Add SKILL.md to your project root or agent config
# The agent reads the checklist and applies it to your code- name: Security Audit
run: |
bash <(curl -fsSL https://raw.githubusercontent.com/Luigi08001/vibe-code-security/main/scripts/audit.sh) . --ciecho 'bash /path/to/audit.sh . --ci' >> .git/hooks/pre-push
chmod +x .git/hooks/pre-push- uses: Luigi08001/vibe-code-security@main
with:
upload-sarif: 'true'Requires security-events: write permission. Findings appear in the repository's Security tab.
This audit targets Node.js/TypeScript web applications. It is a baseline first-pass — not a penetration test.
What it catches: Common AI-generated vulnerabilities that static grep analysis can detect.
What it doesn't catch: Logic flaws, race conditions, complex auth bypasses, cryptographic errors, infrastructure misconfigs beyond basic checks.
Philosophy: A fast 30-second check that catches 70% of AI-generated security holes is better than a perfect audit that never runs.
PRs welcome. If you find a vulnerability pattern that AI tools commonly produce, open an issue or PR.
MIT — use however you want.
Generate an SVG badge for your README:
bash scripts/badge.sh ./your-project
# Creates: ./your-project/vibe-security-badge.svgThen add to your README:
The script auto-detects your framework and runs additional targeted checks:
| Framework | Detection | Extra checks |
|---|---|---|
| Next.js | next in package.json |
Server Actions auth, NEXT_PUBLIC_ secrets, middleware.ts, API route protection |
| Express | express in package.json |
helmet, JSON body limit, trust proxy, error handler, session secret |
| Supabase | @supabase/supabase-js in package.json |
RLS policies, service_role key exposure, USING(true), WITH CHECK |
Force a framework: bash audit.sh . --next or bash audit.sh . --supabase
Add to any repo for automated PR security audits:
# .github/workflows/security.yml
name: Security Audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Luigi08001/vibe-code-security@mainOr use the one-liner workflow — see .github/workflows/security-audit.yml for a template.
Try it in the browser (no install): vibeaudit.dev
See HALL_OF_SHAME.md for anonymized stats on the most common AI-generated vulnerabilities.
Submit your anonymous audit results to improve the data.