npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vchk

v1.0.3

Published

Security scanner for AI-generated code

Downloads

441

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

feruzkarimovferuzkarimov

Keywords

securityaivibe-codingscannervulnerability

Readme

VibeCheck

Security scanner purpose-built for AI-generated code. Catches the vulnerability patterns that AI coding tools systematically introduce — SQL injection, hardcoded secrets, missing auth, hallucinated packages, and more.

Not a generic linter. Not a SAST replacement. VibeCheck catches the class of bugs that exist because an AI wrote the code.

Why

  • 45% of AI-generated code contains security flaws (Veracode, 100+ LLMs)
  • AI-assisted developers produce SQL injection at 5.1x the rate of unassisted developers (Perry et al.)
  • 52% of developers don't review AI code before committing (Sonar 2026)
  • ~20% of AI-recommended packages don't exist in registries (Spracklen et al.)

Existing security tools were designed for human-written code. VibeCheck fills the gap.

Install

# Zero install — run directly
npx vibecheck

# Or install globally
npm install -g vibecheck

Quick Start

# Scan current directory
vibecheck

# Scan specific path
vibecheck ./src

# JSON output for CI/CD
vibecheck --json

# Only critical findings
vibecheck --severity critical

# CI mode — exit code 1 on findings
vibecheck --ci --severity critical

What It Detects

| Rule | ID | Severity | Detection | |------|------|----------|-----------| | SQL Injection (all variants) | VC-001 | CRITICAL | AST + regex | | Log Injection | VC-011 | MEDIUM | Regex | | XSS (dangerouslySetInnerHTML, innerHTML) | VC-012/015 | HIGH | AST + regex | | Hardcoded Credentials | VC-018 | CRITICAL | Regex + entropy | | Missing Auth on Routes | VC-020 | CRITICAL | AST | | Insufficiently Random Values | VC-025 | HIGH | Regex + context | | Hallucinated Packages | VC-036 | CRITICAL | Registry API | | Overly Permissive CORS | VC-048 | HIGH | Regex |

Languages

  • Python (.py)
  • JavaScript (.js, .jsx, .mjs, .cjs)
  • TypeScript (.ts, .tsx)

CLI Flags

| Flag | Description | |------|-------------| | vibecheck [path] | Scan directory. Defaults to . | | --severity <level> | Minimum severity: critical, high, medium, low. Default: medium | | --json | Output JSON instead of terminal format | | --ci | CI mode: exit code 1 on findings above severity threshold | | --fix | Auto-fix patterns that support it (limited in v1) | | --ignore <ids> | Ignore specific pattern IDs. E.g. --ignore VC-048,VC-011 | | --config <path> | Path to .vibecheckrc config file | | --no-color | Disable colored output | | --quiet | Only output summary line | | --version | Print version | | --help | Print help |

Exit Codes

| Code | Meaning | |------|---------| | 0 | No findings above threshold | | 1 | Findings above threshold | | 2 | Scanner error |

Configuration

Create .vibecheckrc in your project root:

{
  "severity": "medium",
  "ignore": ["VC-011"],
  "exclude": ["**/test/**", "**/node_modules/**"],
  "languages": ["python", "javascript", "typescript"]
}

Also supports .vibecheckrc.json, vibecheck.config.js, or a "vibecheck" field in package.json.

GitHub Action

# .github/workflows/vibecheck.yml
name: VibeCheck
on: [push, pull_request]
jobs:
  vibecheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: vibecheck/action@v1
        with:
          severity: critical

Or run directly:

- run: npx vibecheck --ci --severity critical

How It Works

VibeCheck runs a 4-stage pipeline:

  1. Fast Pass (regex) — catches hardcoded secrets, Math.random(), CORS wildcards, log injection. Sub-100ms.
  2. AST Pass (Babel parser) — catches SQL injection, XSS, missing auth middleware. Structural analysis.
  3. Registry Check (npm/PyPI API) — catches hallucinated/non-existent packages.
  4. Report — deduplication, severity scoring with context multipliers, pattern chain detection.

Pattern Chains

When multiple vulnerabilities appear together, VibeCheck detects known attack chains:

  • "Unauthenticated Data Breach" — Missing auth + SQL injection
  • "Client-Side Illusion" — Missing auth + permissive CORS

False Positive Reduction

  • Skips test files, example files, fixtures
  • Ignores patterns inside comments
  • Entropy check for secret detection (filters out placeholders)
  • Function context for Math.random() (only flags security-relevant usage)

Sample Output

  vibecheck v1.0.0 — scanning 47 files...

  ✗ CRITICAL  src/api/users.js:23                    (VC-001)
    SQL Injection via String Interpolation
    Query uses template literal with user input instead of parameterized query

    22 | app.get('/api/users/:id', async (req, res) => {
    23 |   const result = await db.query(
    24 |     `SELECT * FROM users WHERE id = ${req.params.id}`

    Fix: Use parameterized query with placeholder values

  ──────────────────────────────────────────────────
  vibecheck v1.0.0 · Scanned 47 files in 1.2s

  12 findings: 4 critical · 5 high · 3 medium
  ──────────────────────────────────────────────────

Contributing

  1. Fork the repo
  2. Create a feature branch
  3. Add test fixtures in test/fixtures/ for any new detection patterns
  4. Write tests in test/rules/
  5. Submit a PR

Every rule must have:

  • Vulnerable code samples it catches (minimum 3 per language)
  • Safe code samples it does NOT flag (minimum 2 per language)

License

MIT