vibe-security-akoris
v2.0.1
Published
Algorithmic AST and Shannon entropy secret detector
Readme
VibeGuard
VibeGuard is a beta JavaScript/TypeScript secret scanner. It flags likely secrets by combining:
- AST context: the value is assigned to a sensitive-looking name such as
apiKey,token,secret,password, orauth. - Shannon entropy: the value is random-looking enough to pass the configured threshold.
This keeps simple placeholders like password = "test" and apiKey = "your-api-key" out of the results.
Install
npm installOr run it from another project:
npx vibe-security-akoris scanUsage
Scan the current project:
npm run scanScan without changing files:
npx vibe-security-akoris scanPreview fixes without writing anything:
npx vibe-security-akoris scan --dry-runReplace detected literals with process.env.NAME and write values to .env:
npx vibe-security-akoris scan --fixRun non-interactively:
npx vibe-security-akoris scan --fix --yesScan a specific path:
npx vibe-security-akoris scan --path srcUse in CI or pre-commit hooks:
npx vibe-security-akoris scan --ciSafety Defaults
- Default mode is scan-only. Files are changed only with
--fix. --dry-runshows the source,.env, and.gitignorechanges before editing.- Full secrets are never printed; output uses masked values like
sk-****abcd. - Existing
.envvalues are not overwritten. If a name already exists with a different value, VibeGuard creates a suffixed name and prints a warning. .gitignoregets.envonly when it is missing.- Common generated paths are ignored by default, including
.git,node_modules,dist,build,coverage, and lock files.
Output
Findings include file path, line, column, identifier, confidence, and reason:
src/app.js:12:21 apiKey confidence=medium sensitive identifier "apiKey" has entropy 4.73 above threshold 4.00Exit codes:
0 = no secrets found
1 = secrets found
2 = scanner/config/parse errorConfig
Create .vibeguardrc in your project root:
{
"entropyThreshold": 4.5,
"ignoredPaths": ["fixtures/**", "vendor/**"],
"maxFileSizeBytes": 2097152
}You can also add .vibeguardignore with simple glob patterns.
Pre-commit Protection
Install the Git hook:
npx --package vibe-security-akoris vibe-security-akoris-protectInstall without prompts:
npx --package vibe-security-akoris vibe-security-akoris-protect --yesThe hook scans staged JS/TS files and blocks the commit when validated secret candidates are found.
Supported Files
VibeGuard scans .js, .jsx, .mjs, .cjs, .ts, and .tsx.
Limitations
- JavaScript and TypeScript only.
- Beta scanner: it may miss secrets and may still report false positives.
- It checks string literals in supported AST contexts, not every possible way a secret can appear.
- It intentionally avoids vendor-specific API-key regex databases.
Feedback
Issues and feedback: https://github.com/akroshub/Vibeguard/issues
