npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vbguard

v1.0.2

Published

Security scanner for AI-generated code. Catches what traditional scanners miss.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

aahan_shahaahan_shah

Keywords

securityvibe-codingai-codescannervulnerabilityclivbguardsastsecretsai-securityslopsquattinghallucinated-packages

Readme

vbguard

The definitive security scanner for AI-generated code.

npm version Downloads License: MIT

45% of AI-generated code ships with known vulnerabilities. The Moltbook breach. The Lovable auth bypass. Hardcoded Supabase keys. Hallucinated npm packages. These aren't hypothetical — they're happening right now.

vbguard catches what Snyk, Semgrep, and SonarQube can't: the security mistakes unique to AI coding tools (Cursor, Claude Code, Copilot, Lovable, Bolt, Replit, v0).

npx vbguard .

No config. No account. No API key. Runs in milliseconds.

What It Catches

12 Scanner Categories

| Scanner | What It Detects | Severity | |---------|----------------|----------| | Hallucinated Packages | AI-invented npm/PyPI packages that don't exist (slopsquatting), typosquats of popular packages | Critical | | Auth Flow Analyzer | Unprotected routes, inverted auth logic, JWT without expiration, weak JWT secrets, tokens in localStorage, WebSocket auth gaps | Critical-High | | Vibe-Code Patterns | Security TODOs left as placeholders, hardcoded admin credentials, commented-out security code, AI signature markers | Critical-High | | Input Validation | SQL injection, NoSQL injection, command injection, path traversal, XSS, ReDoS, file upload bypasses | Critical | | Hardcoded Secrets | API keys (OpenAI, Stripe, AWS, GitHub, etc.), DB connection strings, JWTs, private keys | Critical | | Frontend-Exposed Secrets | Server secrets in client-side code, Stripe secret keys in React components, service role keys in browser | Critical | | Dangerous Functions | eval() with user input, pickle.loads(), unsafe YAML, SQL via template literals | Critical | | Crypto Analyzer | MD5/SHA1 for passwords, Math.random() for tokens, hardcoded encryption keys, ECB mode, disabled SSL | Critical-High | | Next.js Scanner | API keys in "use client", NEXT_PUBLIC_ on secrets, Server Actions without validation, SSR data leaks | Critical-High | | Supabase Scanner | Service role key in client code, missing RLS, unfiltered select('*'), signup without email verification | Critical-High | | Firebase Scanner | Permissive Firestore/RTDB/Storage rules, Admin SDK in client code, Cloud Functions without auth | Critical | | Docker Scanner | Running as root, privileged containers, exposed DB ports, .env in images, no healthchecks | Medium-Critical |

Plus

  • Dangerous Dependencies — Compromised packages (event-stream), deprecated libs AI still suggests
  • Missing .gitignore.env files about to be committed, secrets in git history
  • Permissive Configscors(*), debug=True, open database rules
  • Missing Security Middleware — No rate limiting, no helmet, no auth middleware

Comparison

| Feature | vbguard | Snyk | Semgrep | GitGuardian | TruffleHog | |---------|---------|------|---------|-------------|------------| | Hallucinated package detection | Yes | No | No | No | No | | Auth flow analysis | Yes | No | Partial | No | No | | AI-specific patterns (TODOs, placeholders) | Yes | No | No | No | No | | Broken access control detection | Yes | No | Partial | No | No | | Hardcoded secrets | Yes | Partial | Partial | Yes | Yes | | Supabase RLS checks | Yes | No | No | No | No | | Firebase rules analysis | Yes | No | Partial | No | No | | Next.js-specific checks | Yes | No | Partial | No | No | | JWT security analysis | Yes | No | Partial | No | No | | Zero config | Yes | No | No | No | Yes | | Offline mode | Yes | No | Yes | No | Yes | | Free | Yes | Freemium | Freemium | Freemium | Yes |

Framework Support

  • Next.js — Server Actions, API routes, "use client" secrets, NEXT_PUBLIC_ misuse
  • Supabase — RLS policies, service role keys, anon key exposure, unfiltered queries
  • Firebase — Firestore/RTDB/Storage rules, Admin SDK, Cloud Functions auth
  • Express — Route auth, rate limiting, CORS, helmet, middleware chain
  • FastAPI — Dependency injection auth, debug mode, CORS configuration
  • Flask/Django — Secret keys, debug mode, CSRF protection

CLI Reference

# Basic scan
npx vbguard .

# Windows
npm exec vbguard .

# Only critical issues
vbguard . --severity=critical

# JSON output (for scripts)
vbguard . --json

# SARIF output (for GitHub Security tab)
vbguard . --ci

# HTML report
vbguard . --format=html

# Markdown report
vbguard . --format=md

# Security score
vbguard . --score

# Score badge URL
vbguard . --badge

# Generate fix suggestions file
vbguard . --fix

# Only scan changed files (git diff)
vbguard . --diff

# Watch mode (re-scan on file change)
vbguard . --watch

# Skip network checks (offline mode)
vbguard . --offline

# Ignore specific rules
vbguard . --ignore=secret/generic-jwt-token,vibe/ai-generated-marker

# Hide fix suggestions
vbguard . --no-fix

All Flags

| Flag | Description | |------|-------------| | --json | Output JSON | | --format=X | Output format: table (default), json, sarif, md, html | | --severity=X | Minimum severity: low, medium, high, critical | | --ci | SARIF output for CI/CD | | --score | Show security score (0-100) | | --badge | Output shields.io badge URL | | --fix | Generate .vbguard-fixes.md with fix suggestions | | --diff | Only scan files changed since last commit | | --watch | Watch mode with auto-rescan | | --offline | Skip network checks | | --skip-network | Alias for --offline | | --ignore=X | Comma-separated rules/paths to ignore | | --no-fix | Hide fix suggestions in output | | -h, --help | Show help | | -v, --version | Show version |

CI/CD Integration

GitHub Actions (Reusable Action)

name: Security Scan
on: [push, pull_request]

permissions:
  security-events: write
  pull-requests: write

jobs:
  vbguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: YOUR_USERNAME/vbguard@v1
        with:
          severity: low
          fail-on: high
          upload-sarif: true
          comment-on-pr: true

GitHub Actions (Simple)

name: Security Scan
on: [push, pull_request]

jobs:
  vbguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npx vbguard . --severity=high

Pre-commit Hook (Husky)

# .husky/pre-commit
npx vbguard -- --diff --severity=critical --offline

Pre-commit Framework

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/YOUR_USERNAME/vbguard
    rev: v1.0.0
    hooks:
      - id: vbguard

Configuration

.vbguardrc.json

{
  "severity": "medium",
  "ignore": ["secret/example-api-key"],
  "ignorePaths": ["test/", "scripts/", "*.test.js"],
  "format": "table",
  "enableNetworkChecks": true
}

vbguard.config.js

module.exports = {
  severity: 'medium',
  ignore: ['vibe/ai-generated-marker'],
  ignorePaths: ['test/', 'scripts/'],
  format: 'table',
  enableNetworkChecks: true,
};

.vbguardignore

Works like .gitignore — one pattern per line:

# Ignore test files
test/
*.test.js
*.spec.js

# Ignore specific rules
secret/generic-jwt-token

# Ignore scripts
scripts/

Inline Ignores

// vbguard-ignore-next-line
const hash = crypto.createHash("md5").update(data).digest("hex");

Security Score

--score outputs a single number from 0-100:

| Score | Rating | Color | |-------|--------|-------| | 90-100 | Secure | Green | | 70-89 | Needs work | Yellow | | 50-69 | At risk | Orange | | 0-49 | Critical | Red |

Scoring: CRITICAL = -15pts, HIGH = -8pts, MEDIUM = -3pts, LOW = -1pt.

Use --badge to get a shields.io URL for your README.

How It Works

vbguard uses pattern matching (regex + structural analysis) against a curated ruleset of AI-specific vulnerability patterns. No AI, no API calls, no data leaves your machine.

The hallucinated package detector optionally queries npm and PyPI registries to verify packages exist. Use --offline to skip.

The ruleset is based on real-world breaches and research:

  • DryRun Security's March 2026 report (broken access control in every AI-generated app)
  • The Moltbook breach (Supabase RLS misconfiguration)
  • Tenzai's 2025 study (69 vulnerabilities across 5 AI coding tools)
  • Escape.tech's scan of 5,600 vibe-coded apps
  • Georgia Tech's Vibe Security Radar

Scanner Architecture

src/scanners/
  secrets.js              # Hardcoded API keys, tokens, connection strings
  dangerous-defaults.js   # Missing auth, rate limiting, CORS, headers
  dangerous-functions.js  # eval, pickle, SQL injection, XSS
  exposed-frontend.js     # Server secrets in client-side code
  permissive-configs.js   # Supabase, Firebase, Docker misconfigs
  dependencies.js         # Compromised/deprecated packages
  gitignore.js            # Missing .gitignore entries
  hallucinated-packages.js # AI-hallucinated packages, typosquats
  auth-flow.js            # Auth logic, JWT, OAuth, WebSocket auth
  vibe-patterns.js        # AI-specific code patterns
  input-validation.js     # SQL/NoSQL/command injection, XSS, ReDoS
  nextjs.js               # Next.js-specific security
  supabase.js             # Supabase-specific security
  firebase.js             # Firebase-specific security
  docker.js               # Docker/compose security
  crypto.js               # Cryptographic security

Contributing

Contributions welcome. If you've found a vulnerability pattern that AI tools commonly introduce, open a PR to add it.

Each scanner is a standalone module that exports a function receiving a file context object:

function scanMyPattern(ctx) {
  const { content, relativePath, ext, basename } = ctx;
  const findings = [];
  // ... pattern matching ...
  findings.push({
    rule: 'category/rule-name',
    severity: 'critical', // critical | high | medium | low
    file: relativePath,
    line: lineNumber,
    message: 'What is wrong and why it matters.',
    fix: 'How to fix it.',
  });
  return findings;
}

Changelog

v1.0.0

  • Hallucinated package detection (npm + PyPI registry checks, typosquat detection)
  • Auth flow analyzer (12+ patterns: inverted logic, JWT issues, WebSocket auth, OAuth)
  • Vibe-code pattern detector (security TODOs, placeholder data, AI markers, error leaks)
  • Input validation scanner (SQL/NoSQL/command injection, path traversal, XSS, ReDoS)
  • Framework scanners: Next.js, Supabase, Firebase, Docker (enhanced)
  • Crypto analyzer (weak hashing, Math.random, hardcoded keys, ECB, SSL, cookies)
  • Smart CLI: --fix, --diff, --watch, --ci (SARIF), --score, --badge, --format
  • Pre-commit hook support (Husky + pre-commit framework)
  • GitHub Action (reusable action with SARIF upload + PR comments)
  • HTML/Markdown/SARIF report output
  • .vbguardrc.json + vbguard.config.js configuration
  • .vbguardignore + inline ignores
  • Scan comparison (new/fixed since last scan)
  • 130+ tests

v0.4.0

  • Initial release with secrets, dangerous functions, configs, dependencies

License

MIT