π Getting Started
VibeCheck is a security scanning platform designed for vibe coders who build fast and ship often. Get your code scanned in seconds, not hours.
Quick Start (3 minutes)
- Upload your code
Drag & drop a ZIP file, connect GitHub, or paste code directly.
- Wait for scan
Our AI-powered scanners analyze your code in real-time.
- Review results
Get a security grade (A-F) with detailed findings and fix suggestions.
What Gets Scanned?
Hardcoded Secrets
API keys, passwords, tokens, and other sensitive data in your code.
Security Vulnerabilities
Common vulnerabilities like SQL injection, XSS, and insecure configurations.
Dependency Risks
Known CVEs in your npm, pip, or other package dependencies.
Docker Security
Dockerfile best practices and container image vulnerabilities.
Supported Languages
π€ Upload Methods
VibeCheck supports multiple ways to get your code scanned. Choose the method that fits your workflow.
1. ZIP File Upload
The quickest way to scan a project. Simply compress your project folder and drag it to our upload zone.
# Create a ZIP of your project
zip -r my-project.zip ./my-project -x "node_modules/*" -x ".git/*"2. GitHub Integration
PROConnect your GitHub account to scan repositories directly. Perfect for teams and CI/CD workflows.
- One-click repository connection
- Auto-scan on push (Pro feature)
- PR comments with security feedback
- Branch-specific scanning
3. Paste Code
Have a single file or snippet? Paste it directly for instant analysis.
- Supports up to 50KB of code
- Auto-detects language
- Great for quick checks
4. Git URL
Provide a public Git repository URL and we'll clone and scan it automatically.
https://github.com/username/repository.gitFile Size Limits
| Plan | Max Project Size | Max Files |
|---|---|---|
| Free | 10 MB | 500 files |
| Pro | 50 MB | 2,000 files |
| Team | 100 MB | 5,000 files |
π Security Scanners
VibeCheck uses a combination of open-source and proprietary scanners to provide comprehensive security coverage.
π Secret Scanner
ActiveDetects hardcoded secrets, API keys, passwords, and sensitive credentials.
- AWS Access Keys
- GitHub Tokens
- Database Passwords
- Private Keys
- API Keys (Stripe, OpenAI, etc.)
π¦ Dependency Scanner
ActiveIdentifies known vulnerabilities (CVEs) in your project dependencies.
- npm / yarn (package.json)
- pip (requirements.txt)
- Go (go.mod)
- Maven (pom.xml)
- Gradle (build.gradle)
π‘οΈ SAST Scanner
ActiveStatic Application Security Testing to find code-level vulnerabilities.
- SQL Injection
- XSS (Cross-Site Scripting)
- Command Injection
- Path Traversal
- Insecure Deserialization
π³ Container Scanner
ActiveAnalyzes Dockerfiles and container configurations for security issues.
- Dockerfile best practices
- Base image vulnerabilities
- Running as root user
- Exposed sensitive ports
βοΈ IaC Scanner
ActiveScans Infrastructure as Code for misconfigurations and security risks.
- Terraform
- Kubernetes YAML
- CloudFormation
- Ansible
- Helm Charts
π Grading System
Every scan results in a security grade from A to F, calculated based on the severity and quantity of findings.
Excellent
Score: 90-100
No critical or high severity issues. Your code is secure!
Good
Score: 80-89
Minor issues present. Some improvements recommended.
Fair
Score: 70-79
Several medium severity issues found. Action needed.
Poor
Score: 60-69
High severity issues detected. Fix before deploying.
Critical
Score: <60
Critical vulnerabilities found. Immediate action required!
Severity Levels
Actively exploitable vulnerabilities that can lead to data breach or system compromise.
Serious security issues that should be fixed before production deployment.
Moderate issues that could become serious if combined with other vulnerabilities.
Minor issues or best practice violations. Good to fix but not urgent.
π€ AI-Powered Fixes
PRODon't just find problemsβfix them. Our AI generates context-aware code fixes for every vulnerability found.
How It Works
- Analyze Context
AI reads surrounding code to understand the full context.
- Generate Fix
Creates a targeted fix that addresses the vulnerability.
- One-Click Apply
Copy the fix or apply directly to your codebase.
Example: Fixing a Hardcoded Secret
β Before (Vulnerable)
const API_KEY = "sk_live_abc123xyz";
const stripe = new Stripe(API_KEY);β After (AI Fix)
const API_KEY = process.env.STRIPE_API_KEY;
if (!API_KEY) throw new Error("Missing STRIPE_API_KEY");
const stripe = new Stripe(API_KEY);Supported Fix Types
- β Environment variable extraction
- β Input validation and sanitization
- β Parameterized queries for SQL
- β Output encoding for XSS prevention
- β Secure configuration updates
- β Dependency version upgrades
π GitHub Integration
PROConnect VibeCheck to GitHub for seamless security scanning integrated into your development workflow.
Features
One-Click Connect
Authorize with GitHub and select repositories to scan.
Auto-Scan on Push
Automatically scan every push to your default branch.
PR Comments
Get security feedback directly in pull requests.
Merge Blocking
Block PRs with critical vulnerabilities from merging.
Setup Instructions
- Connect Your Account
Go to Dashboard β GitHub and click "Connect GitHub".
- Authorize VibeCheck
Grant access to your repositories (read-only access for scanning).
- Select Repositories
Choose which repositories to enable for automatic scanning.
- Configure Webhooks (Optional)
Enable auto-scan on push for real-time security feedback.
π·οΈ Trust Badges
PRODisplay your security grade on your README, website, or documentation to build trust with users.
Badge Styles
flat
rounded
shieldEmbed Code
Markdown (README.md)
HTML (Website)
<a href="https://vibecheck.dev/report/YOUR_PROJECT_ID">
Β Β <img src="https://vibecheck.dev/badge/YOUR_PROJECT_ID" alt="Security Badge"/>
</a>Badge Features
- β Real-time grade updates (refreshes on each scan)
- β Clickable link to public report
- β Multiple style options
- β Valid for 30 days after scan
- β Auto-expire if not rescanned
β‘ MCP Server
Connect VibeCheck to AI assistants like Cursor, Claude Desktop, or Windsurf using the Model Context Protocol (MCP).
π Live Server
https://vibecheck-mcp.datnt-work.workers.devHosted on Cloudflare Workers with global edge deployment.
Available Tools
security_scan
Scan code for vulnerabilities: secrets, injection, XSS, IDOR, weak crypto.
suggest_fix
Get step-by-step fix instructions with safe/unsafe code examples.
explain_vulnerability
Plain-language explanations of how attacks work and their impact.
get_security_rules
List security rules by category, severity, or compliance (OWASP, PCI-DSS).
π€ Setup for AI Agents
Select your AI assistant:
π ~/.cursor/mcp.json
{
"mcpServers": {
"vibecheck": {
"url": "https://vibecheck-mcp.datnt-work.workers.dev/mcp"
}
}
}π ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"vibecheck": {
"url": "https://vibecheck-mcp.datnt-work.workers.dev/mcp"
}
}
}Windows: %APPDATA%/Claude/claude_desktop_config.json
π ~/.windsurf/mcp.json
{
"mcpServers": {
"vibecheck": {
"url": "https://vibecheck-mcp.datnt-work.workers.dev/mcp"
}
}
}π ~/.continue/config.json
{
"experimental": {
"modelContextProtocolServers": [{
"transport": { "type": "sse", "url": "https://vibecheck-mcp.datnt-work.workers.dev/mcp" }
}]
}
}π VS Code settings.json
{
"cline.mcpServers": {
"vibecheck": {
"url": "https://vibecheck-mcp.datnt-work.workers.dev/mcp"
}
}
}π§ͺ Test with curl
curl https://vibecheck-mcp.datnt-work.workers.dev/mcp/tools/list㪠Example Prompts
- β "Scan this code for security issues"
- β "How do I fix SQL injection?"
- β "Explain XSS attacks in simple terms"
- β "What security rules apply to fintech apps?"
π API Reference
Integrate VibeCheck into your tools, CI/CD pipelines, or custom applications using our REST API.
Authentication
All API requests require an API key passed in the header:
Authorization: Bearer YOUR_API_KEYBase URL
https://api.vibecheck.dev/v1Endpoints
/scansCreate a new scan from uploaded code.
Request Body
{
"name": "my-project",
"source": "upload", // or "github", "url"
"file": "<base64-encoded-zip>",
"language": "auto" // or "python", "javascript", etc.
}Response
{
"scan_id": "scan_abc123",
"status": "processing",
"created_at": "2025-01-01T12:00:00Z"
}/scans/{scan_id}Get scan results and findings.
Response
{
"scan_id": "scan_abc123",
"status": "completed",
"grade": "B",
"score": 82,
"findings": [
{
"id": "finding_1",
"title": "Hardcoded API Key",
"severity": "high",
"file": "config.js",
"line": 15
}
]
}/scans/{scan_id}/findingsGet detailed findings for a scan.
/scans/{scan_id}/fixGenerate AI-powered fix for a specific finding.
PRORate Limits
| Plan | Requests/minute | Scans/day |
|---|---|---|
| Free | 10 | 3 |
| Pro | 100 | Unlimited |
| Team | 500 | Unlimited |
β Frequently Asked Questions
Is my code stored on your servers?
No. Your code is processed in memory during the scan and deleted within 24 hours. We never store your source code permanently. Only scan results and findings are retained.
Which languages are supported?
VibeCheck supports JavaScript, TypeScript, Python, Go, Java, Ruby, PHP, C#, Rust, and infrastructure languages like Terraform, Kubernetes YAML, and Dockerfiles.
How accurate is the AI fix feature?
Our AI generates fixes with ~90% accuracy for common vulnerabilities. We recommend reviewing all fixes before applying them to your codebase.
Can I use VibeCheck in CI/CD?
Yes! Use our API or GitHub integration to add security checks to your CI/CD pipeline. You can fail builds when critical vulnerabilities are detected.
What's the difference between Free and Pro?
Free includes 3 scans/month and basic reports. Pro adds unlimited scans, AI-powered fixes, GitHub integration, trust badges, and PDF export.
Do you offer an on-premise solution?
Yes, for Enterprise customers. Contact our sales team for on-premise deployment options, custom SLAs, and dedicated support.
How do trust badges work?
After a scan, you get embed code for a badge that displays your security grade. Badges update automatically when you rescan and expire after 30 days if not renewed.
Can I dispute a finding?
Yes. Each finding has a "Mark as False Positive" option. You can provide a reason and it won't affect your score in future scans.