@shieldnet360/securevibe
v0.10.2
Published
SecureVibe — one binary for AI-assisted secure coding: secret / dependency / Dockerfile / GitHub Actions scanning, an offline OSV cache, a CI gate, 30 security skills, and an MCP server (securevibe mcp).
Maintainers
Readme
@shieldnet360/securevibe
SecureVibe in one command — secret detection, dependency / CVE scanning (offline
OSV cache), Dockerfile & GitHub Actions hardening, a CI gate, 30 security skills,
and a Model Context Protocol server. It's a single
Go binary (securevibe); this package ships it plus the library data, with the
prebuilt binary delivered as a per-platform optional dependency.
As an MCP server
Reference it with npx in your MCP client config — no global install:
{
"mcpServers": {
"SecureVibe": {
"command": "npx",
"args": ["-y", "@shieldnet360/securevibe", "mcp"]
}
}
}On first run npm fetches this package plus the one prebuilt binary matching your
OS/CPU. The file-reading tools (scan_secrets, scan_dependencies,
scan_github_actions, scan_dockerfile, gate) default to the current working
directory; widen the allow-list by appending --allowed-roots /path/to/project to
the args.
As a CLI gate
The same binary is a scanner/gate for scripts, pre-commit hooks, and CI — no JSON-RPC, just an exit code:
# pick the right scanner for a file (or a whole directory) and fail (exit 1)
# on any finding at or above the severity floor
npx -y @shieldnet360/securevibe gate Dockerfile --severity-floor high
npx -y @shieldnet360/securevibe scan-dependencies .gate dispatches to the dependency / Dockerfile / GitHub Actions scanners by file
shape and falls back to a secret scan for anything else. The bundled data tree is
located automatically (no --path needed). Add --format json|sarif for CI.
How it's packaged
A thin Node launcher over the Go binary. This package declares one optional
dependency per platform (-darwin-arm64, -linux-x64, …) gated by os/cpu, so
npm installs only the binary for your machine — no postinstall download, works
offline and under npm ci --ignore-scripts. The library data (skills, the OSV
cache, checklists) ships once inside this package and is handed to the binary via
$SKILLS_LIBRARY_PATH.
Also available
- Go:
go install github.com/shieldnet-360/securevibe/cmd/securevibe@latest - Prebuilt binary:
curl -fsSL https://raw.githubusercontent.com/shieldnet-360/securevibe/main/install.sh | sh - Binaries + data tarball: attached to each GitHub Release.
License
MIT. See the repository.
