@xclusive/vibeshield
v1.1.0
Published
Hybrid (AST + LLM) security scanner with multi-provider support for OpenAI, Anthropic, Google Gemini, and local Ollama
Downloads
16
Maintainers
Readme
Vibeshield
Hybrid (AST + LLM) security scanner with multi-provider LLM support for detecting application vulnerabilities. Inspired by Vercel's deepsec.
Overview
Vibeshield uses a two-phase approach to minimize LLM API costs while maximizing detection accuracy:
- AST Static Scanner (zero-cost) - Fast pattern matching across source code to identify candidate vulnerability sites
- LLM Investigation (targeted) - Only flagged files are sent to your chosen LLM for deep security analysis
Supported LLM Providers
- OpenAI - gpt-4o-mini, gpt-4o, gpt-4-turbo
- Anthropic - claude-3-5-sonnet, claude-3-opus, claude-3-haiku
- Google Gemini - gemini-1.5-pro, gemini-2.0-flash
- Ollama - Run local LLMs without API keys
Installation
npm install -g vibeshieldOr install locally:
npm install
npm run build
vibeshield --helpQuick Start
1. Configure Your Provider
vibeshield initChoose your preferred LLM provider and enter your API key. Configuration is saved to ~/.config/vibeshield/config.json.
2. Run the Pipeline
# Full pipeline (scan → process → triage → revalidate → report)
vibeshield scan ./your-project
vibeshield process ./your-project
vibeshield triage ./your-project
vibeshield revalidate ./your-project
vibeshield report ./your-projectUsage
Commands
| Command | Description | LLM Cost |
|---------|-------------|----------|
| init | Interactive configuration setup | None |
| scan | AST pattern matching to find candidate sites | None |
| process | AI analysis of each candidate | Medium-High |
| triage | Severity classification (P0/P1/P2/LOW) | Micro-cents |
| revalidate | Independent audit to reduce false positives | Low-Medium |
| report | Generate Markdown/JSON/SARIF reports | None |
Configuration
View or modify your configuration:
vibeshield init # Reconfigure
cat ~/.config/vibeshield/config.json # View configCLI Flags
Override configuration at runtime:
# Use different provider
vibeshield process --provider openai --api-key sk-xxx
# Use specific model
vibeshield process --model gpt-4o-mini
# Set concurrency
vibeshield process --concurrency 10See CONFIG.md for full configuration guide.
AST Rules
| Rule ID | Name | Description |
|---------|------|-------------|
| VS-001 | raw-sql | Raw SQL queries with template literals (SQL injection) |
| VS-002 | missing-validation | Request body params typed as any (no input validation) |
| VS-003 | unsafe-eval | Use of eval() or Function() constructor |
| VS-004 | hardcoded-secret | Hardcoded passwords, API keys, tokens |
| VS-005 | unguarded-endpoint | Route handlers without auth guards |
| VS-006 | insecure-random | Math.random() in security-sensitive contexts |
Configuration
See CONFIG.md for comprehensive configuration guide covering:
- All supported providers
- Environment variables
- Configuration file format
- Priority/precedence rules
- Troubleshooting
Quick Setup Examples
Using OpenAI:
vibeshield init
# Select: OpenAI
# Enter API key when promptedUsing Local Ollama:
ollama serve # In separate terminal
vibeshield init
# Select: Ollama
# Enter: http://localhost:11434Using Environment Variables:
export OPENAI_API_KEY=sk-xxx
vibeshield process ./srcPipeline State
All pipeline state is stored in .vibeshield/data/<project-id>/:
files.json- AST scan candidatesfindings.json- LLM investigation resultsreport.json- Final confirmed findings
State is idempotent - delete the relevant file to re-run a stage.
Report Formats
- Markdown (
report.md) - Human-readable security report - JSON (
report.json) - Structured data for programmatic use - SARIF (
report.sarif.json) - Standard format for GitHub/IDE integration
Extending Rules
Add new rules in src/parsers/rules/:
import { AstRule } from "../../types/index.js";
export const myRule: AstRule = {
id: "VS-XXX",
name: "my-rule",
description: "Description of what this detects",
check: (node: TSESTree.Node): boolean => {
// Return true if this node matches the vulnerability pattern
return false;
},
};Then register it in src/parsers/ast-parser.ts:
import { myRule } from "./rules/my-rule.js";
const RULE_REGISTRY: Record<string, AstRule> = {
// ... existing rules
"my-rule": myRule,
};License
MIT
