JSPM

@xclusive/vibeshield

1.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 3
  • Score
    100M100P100Q60056F
  • License MIT

Hybrid (AST + LLM) security scanner with multi-provider support for OpenAI, Anthropic, Google Gemini, and local Ollama

Package Exports

  • @xclusive/vibeshield
  • @xclusive/vibeshield/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@xclusive/vibeshield) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Vibeshield

Hybrid (AST + LLM) security scanner with multi-provider LLM support for detecting application vulnerabilities. Inspired by Vercel's deepsec.

Overview

Vibeshield uses a two-phase approach to minimize LLM API costs while maximizing detection accuracy:

  1. AST Static Scanner (zero-cost) - Fast pattern matching across source code to identify candidate vulnerability sites
  2. LLM Investigation (targeted) - Only flagged files are sent to your chosen LLM for deep security analysis

Supported LLM Providers

  • OpenAI - gpt-4o-mini, gpt-4o, gpt-4-turbo
  • Anthropic - claude-3-5-sonnet, claude-3-opus, claude-3-haiku
  • Google Gemini - gemini-1.5-pro, gemini-2.0-flash
  • Ollama - Run local LLMs without API keys

Installation

npm install -g vibeshield

Or install locally:

npm install
npm run build
vibeshield --help

Quick Start

1. Configure Your Provider

vibeshield init

Choose your preferred LLM provider and enter your API key. Configuration is saved to ~/.config/vibeshield/config.json.

2. Run the Pipeline

# Full pipeline (scan → process → triage → revalidate → report)
vibeshield scan ./your-project
vibeshield process ./your-project
vibeshield triage ./your-project
vibeshield revalidate ./your-project
vibeshield report ./your-project

Usage

Commands

Command Description LLM Cost
init Interactive configuration setup None
scan AST pattern matching to find candidate sites None
process AI analysis of each candidate Medium-High
triage Severity classification (P0/P1/P2/LOW) Micro-cents
revalidate Independent audit to reduce false positives Low-Medium
report Generate Markdown/JSON/SARIF reports None

Configuration

View or modify your configuration:

vibeshield init                    # Reconfigure
cat ~/.config/vibeshield/config.json  # View config

CLI Flags

Override configuration at runtime:

# Use different provider
vibeshield process --provider openai --api-key sk-xxx

# Use specific model
vibeshield process --model gpt-4o-mini

# Set concurrency
vibeshield process --concurrency 10

See CONFIG.md for full configuration guide.

AST Rules

Rule ID Name Description
VS-001 raw-sql Raw SQL queries with template literals (SQL injection)
VS-002 missing-validation Request body params typed as any (no input validation)
VS-003 unsafe-eval Use of eval() or Function() constructor
VS-004 hardcoded-secret Hardcoded passwords, API keys, tokens
VS-005 unguarded-endpoint Route handlers without auth guards
VS-006 insecure-random Math.random() in security-sensitive contexts

Configuration

See CONFIG.md for comprehensive configuration guide covering:

  • All supported providers
  • Environment variables
  • Configuration file format
  • Priority/precedence rules
  • Troubleshooting

Quick Setup Examples

Using OpenAI:

vibeshield init
# Select: OpenAI
# Enter API key when prompted

Using Local Ollama:

ollama serve  # In separate terminal
vibeshield init
# Select: Ollama
# Enter: http://localhost:11434

Using Environment Variables:

export OPENAI_API_KEY=sk-xxx
vibeshield process ./src

Pipeline State

All pipeline state is stored in .vibeshield/data/<project-id>/:

  • files.json - AST scan candidates
  • findings.json - LLM investigation results
  • report.json - Final confirmed findings

State is idempotent - delete the relevant file to re-run a stage.

Report Formats

  • Markdown (report.md) - Human-readable security report
  • JSON (report.json) - Structured data for programmatic use
  • SARIF (report.sarif.json) - Standard format for GitHub/IDE integration

Extending Rules

Add new rules in src/parsers/rules/:

import { AstRule } from "../../types/index.js";

export const myRule: AstRule = {
  id: "VS-XXX",
  name: "my-rule",
  description: "Description of what this detects",
  check: (node: TSESTree.Node): boolean => {
    // Return true if this node matches the vulnerability pattern
    return false;
  },
};

Then register it in src/parsers/ast-parser.ts:

import { myRule } from "./rules/my-rule.js";

const RULE_REGISTRY: Record<string, AstRule> = {
  // ... existing rules
  "my-rule": myRule,
};

License

MIT