npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@darrenjcoxon/vibeguard

v2.2.2

Published

Security-first code scanner for AI-assisted development. Scan your code, get FIXES.md, let AI fix everything.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

darrenjcoxondarrenjcoxon

Keywords

securityscannersastaivibe-codingclaudecursorcopilotsemgrepgitleakssupabasenextjsowaspfixescode-reviewsecurity-headersrlsxsssql-injection

Readme

██ Vibeguard v2.0 — Security-First Code Scanner

Scan your code. Get FIXES.md. Let AI fix everything.

Vibeguard is a security-first code scanner designed for developers using AI coding assistants (Claude Code, Cursor, Copilot). It runs 8 scanners in parallel and generates a FIXES.md file that AI agents can directly action.

What's New in v2.0

🔒 Security-first approach — Security findings are separated from quality findings and always shown first. Quality gate now fails on any high-severity security issue.

🎯 OWASP Top 10 rulesets — Semgrep now auto-detects your framework (Next.js, React, Express) and applies targeted rulesets including p/owasp-top-ten, p/security-audit, and framework-specific rules.

Supabase security scanner — Catches service role key exposure in client components, API routes without auth, admin client misuse, and RLS bypass patterns.

🛡️ Security headers scanner — Checks for missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

📊 Grype integration — Deep dependency scanning with EPSS scores (exploit prediction) so you know which vulnerabilities are actually being exploited in the wild.

📋 Split FIXES.md — Security findings and quality findings are clearly separated. AI agents fix security issues first.

Quick Start

# Install
npm install -g @darrenjcoxon/vibeguard

# Install backend scanning tools
vibeguard --install-tools

# Scan your project
cd your-project
vibeguard

# Security-only scan (skip complexity/quality)
vibeguard --security-only

# Output as JSON
vibeguard -o json

Scanners (8 total)

Security Scanners

| Scanner | What it finds | |---------|--------------| | Semgrep | XSS, SQL injection, SSRF, open redirects, CSRF (OWASP Top 10) | | Gitleaks | Hardcoded API keys, passwords, tokens, secrets | | Grype | Vulnerable dependencies with CVSS + EPSS exploit prediction | | npm-audit | Known CVEs in npm packages | | Supabase Security | Service key exposure, missing auth, RLS bypass | | Security Headers | Missing CSP, HSTS, X-Frame-Options, etc. |

Quality Scanners

| Scanner | What it finds | |---------|--------------| | ESLint | Linting issues, React hooks violations, code quality | | Complexity | Cyclomatic complexity, overly long functions |

Quality Gate (Security-Weighted)

The v2.0 quality gate prioritises security:

| Rule | Threshold | Fails build? | |------|-----------|-------------| | Critical findings | 0 | ✅ Yes | | High security findings | 0 | ✅ Yes | | Secret findings | 0 | ✅ Yes | | Auth findings (high+) | 0 | ✅ Yes | | High quality findings | ≤ 10 | ❌ No (warning) |

This means: a complex function won't fail your build, but an exposed API key or missing auth check will.

FIXES.md Output

The generated FIXES.md is split into two sections:

## 🔒 Security Findings       ← Fix these FIRST
### 🔴 CRITICAL
### 🟠 HIGH
### 🟡 MEDIUM

## 📋 Code Quality Findings    ← Fix when touching the file
### 🟡 MEDIUM
### Minor Issues (collapsed)

Each finding includes file path, line number, description, CWE/OWASP reference, and a specific fix suggestion that AI agents can action directly.

CLI Options

vibeguard [path]              Scan a directory (default: current)
vibeguard --security-only     Only run security scanners
vibeguard --no-complexity     Skip complexity analysis
vibeguard --no-headers        Skip security headers check
vibeguard --no-supabase       Skip Supabase security check
vibeguard --install-tools     Auto-install semgrep, gitleaks, grype
vibeguard -o json             Output as JSON instead of FIXES.md
vibeguard -q                  Quiet mode (minimal output)

CI/CD Integration

# GitHub Actions
- name: Security Scan
  run: |
    npm install -g @darrenjcoxon/vibeguard
    vibeguard --security-only
# Pre-commit hook
#!/bin/sh
vibeguard --security-only --quiet || exit 1

Requirements

  • Node.js ≥ 18
  • Semgreppip install semgrep (for SAST)
  • Gitleaksbrew install gitleaks (for secret detection)
  • Grype (optional) — brew tap anchore/grype && brew install grype (for EPSS scoring)

Or just run vibeguard --install-tools to install everything.

Author

Built by Darren Coxon for the vibe coding community.

License

MIT