JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 2
  • Score
    100M100P100Q44902F
  • License MIT

Security scanner for AI-generated code. Catches what traditional scanners miss.

Package Exports

  • vbguard
  • vbguard/src/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (vbguard) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

vbguard

Security scanner for AI-generated code. Catches what Snyk, Semgrep, and GitGuardian miss.

npm version npm downloads License: MIT

Vibe coding is fast. But 45% of AI-generated code ships with known vulnerabilities. The Moltbook breach, the pickle exploits, the hardcoded Supabase keys -- all caused by patterns that traditional scanners weren't designed to catch.

vbguard scans your codebase for security mistakes that AI coding tools (Cursor, Claude Code, Copilot, Lovable, Bolt, Replit) introduce most often. It also does things no other scanner can -- like detecting hallucinated packages and broken auth flows.

Quick Start

npx vbguard .

No config. No account. No API key. Runs in milliseconds.

Get Your Security Score

npx vbguard . --score
  vbguard security score:

  ████████████████░░░░ 78/100 -- good

  * 0 critical
  * 2 high
  * 3 medium
  * 1 low

What It Catches

Core Scanners

Category Examples Severity
Hardcoded Secrets API keys, DB connection strings, JWTs, private keys inline in code Critical
Frontend-Exposed Secrets Stripe secret keys, service role tokens, DB URLs in client-side code Critical
Dangerous Functions pickle.loads(), eval() with user input, SQL injection via f-strings/template literals Critical
Missing Auth Express/Flask/FastAPI servers with no authentication middleware High
Permissive Configs cors(*), debug=True, Firebase rules allow: if true, Supabase without RLS High
No Rate Limiting HTTP servers without rate limiting middleware High
Dangerous Dependencies Compromised packages (event-stream, faker), deprecated libs AI still suggests Medium
Missing .gitignore .env files not gitignored, secrets about to be committed Critical
Docker Misconfigs Running as root, copying .env into images, exposed DB ports Medium-High

Hallucinated Package Detector (unique to vbguard)

AI tools frequently invent package names that don't exist. If someone registers that name with malicious code, your project is compromised.

  • CRITICAL: Package doesn't exist on npm/PyPI (hallucinated by AI)
  • HIGH: Package created less than 30 days ago (potential typosquat)
  • HIGH: Package name within edit distance 1-2 of a popular package (lodas vs lodash)
# Skip online checks for offline environments
npx vbguard . --offline

Auth Flow Analyzer (Snyk can't do this)

Snyk and Semgrep cannot catch broken auth because it requires understanding application semantics. vbguard detects:

Pattern Why It Matters
JWT with no expiration Stolen tokens grant permanent access
JWT with weak/hardcoded secret Anyone can forge valid tokens
User enumeration Different errors for "user not found" vs "wrong password" reveal valid emails
Tokens in localStorage Vulnerable to XSS -- use httpOnly cookies
OAuth open redirects Unvalidated redirect_uri lets attackers steal tokens
Password reset without rate limiting Enables brute-force of reset tokens
Signup with no email verification Allows fake account creation
Inverted auth checks The exact Lovable/Moltbook bug: blocking authenticated users, allowing anonymous
API routes with no auth middleware Publicly accessible endpoints
Supabase signUp with no email confirmation Anyone can register with any email

Vibe-Code Patterns (unique to AI-generated code)

Patterns that only appear in AI-generated code, not human code:

Pattern Why It Matters
Security TODO comments TODO: add authentication -- AI leaves these as placeholders and never comes back
Placeholder data in production test@test.com, John Doe, password123 shipped to prod
Sensitive data in console.log console.log(password), console.log(token) -- debugging leftovers
Commented-out security code Auth checks, validation, rate limiting disabled during debugging
AI-generated markers "Created with Cursor", "Copilot suggestion" -- indicates unreviewed code
Error stack trace leaks res.status(500).send(err.stack) exposes internals to attackers
Silent error swallowing catch(e) {} -- security failures silently ignored

Framework-Specific Scanners

Next.js

Pattern Severity
API keys in "use client" components Critical
Missing middleware.ts for auth Medium
Server Actions with no input validation High
publicRuntimeConfig exposing secrets Critical
API routes with no auth checks Medium
NEXT_PUBLIC_ prefix on sensitive env vars Critical

Supabase

Pattern Severity
Service role key in client-side code Critical
.from('table').select('*') with no filter Medium
Anon key used with no RLS High
Public storage buckets with no policies Medium
SECURITY DEFINER functions without auth checks High

Firebase

Pattern Severity
Firestore rules with allow read, write: if true Critical
Realtime Database rules with .read: true at root Critical
Storage rules with no auth condition Critical/High
Firebase Admin SDK in client-side code Critical
Firebase config with no App Check Medium

Comparison

Feature vbguard Snyk Semgrep GitGuardian
Hardcoded secrets Yes Partial Yes Yes
Hallucinated package detection Yes No No No
Auth flow analysis Yes No No No
AI-code-specific patterns Yes No No No
Next.js-specific rules Yes No Partial No
Supabase security Yes No No No
Firebase security Yes Partial Partial No
Security score Yes No No No
Zero config Yes No No No
Runs offline Yes No Yes No
Free & open source Yes Partial Yes Partial
Speed < 100ms Minutes Seconds Seconds

Usage

# Scan current directory
npx vbguard .

# Scan a specific project
npx vbguard ./my-app

# Only show high and critical issues
npx vbguard . --severity=high

# Output as JSON
npx vbguard . --json

# Security score (0-100)
npx vbguard . --score

# Generate fix suggestions file
npx vbguard . --fix

# Only scan git-changed files (fast!)
npx vbguard . --diff

# Watch mode -- re-scans on file changes
npx vbguard . --watch

# SARIF output for GitHub Code Scanning
npx vbguard . --ci

# Skip online checks (hallucinated packages)
npx vbguard . --offline

# Hide fix suggestions
npx vbguard . --no-fix

# Ignore specific directories
npx vbguard . --ignore=tests,scripts

CI/CD Integration

GitHub Actions (SARIF)

vbguard outputs SARIF format, which integrates directly with GitHub's Security tab:

name: vbguard Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Run vbguard
        run: npx vbguard@latest . --ci --offline > results.sarif || true
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
        if: always()

Simple CI (fail on critical/high)

- run: npx vbguard . --severity=high --offline

vbguard exits with code 1 if critical or high issues are found, blocking the deploy.

Pre-Commit Hook

Option 1: Husky

npm install --save-dev husky
npx husky init
echo "npx vbguard-precommit" > .husky/pre-commit

Option 2: Manual git hook

cat > .git/hooks/pre-commit << 'EOF'
#!/bin/sh
npx vbguard-precommit
EOF
chmod +x .git/hooks/pre-commit

The pre-commit hook:

  • Only scans staged files (fast)
  • Blocks commits with critical or high issues
  • Shows exactly what was blocked and why
  • Skips online checks for speed
  • Use git commit --no-verify to bypass if needed

Example Output

  vbguard v0.5.0
  Security scanner for AI-generated code

  Scanning: /Users/dev/my-vibe-app

  CRITICAL (3)

    > secret/openai-api-key
      src/api/chat.ts:5
      Hardcoded OpenAI API Key detected.
      Fix: Move to environment variable OPENAI_API_KEY.

    > auth/jwt-weak-secret
      src/auth/login.ts:23
      JWT signed with weak secret "password". Anyone can forge tokens.
      Fix: Use a strong random secret from process.env.JWT_SECRET.

    > hallucinated/npm-package-not-found
      package.json
      Package "react-auth-helper" does not exist on npm.
      Fix: Remove and search for the correct package name.

  HIGH (2)

    > vibe/security-todo-left-behind
      src/middleware.ts:12
      "TODO: add authentication before deploying"
      Fix: Implement the security feature now.

    > auth/token-in-localstorage
      src/hooks/useAuth.ts:45
      Auth token stored in localStorage. Vulnerable to XSS.
      Fix: Use httpOnly cookies instead.

  -----------------------------------------
  5 issues found: 3 critical, 2 high
  Scanned 24 files in 12ms

  Fix critical and high severity issues before deploying!

Supported Languages

  • JavaScript / TypeScript -- Express, Fastify, Next.js, React, Vue, Svelte
  • Python -- Flask, FastAPI, Django

How It Works

vbguard uses pattern matching (regex + structural analysis) against a curated ruleset of AI-specific vulnerability patterns. No AI, no API calls (except optional package registry checks), no data leaves your machine.

The ruleset is based on real-world breaches and research:

  • The Moltbook breach (Supabase misconfiguration + inverted auth)
  • Tenzai's 2025 study (69 vulnerabilities across 5 AI coding tools)
  • Escape.tech's scan of 5,600 vibe-coded apps
  • Georgia Tech's Vibe Security Radar (tracking AI-generated CVEs)

Project Structure

src/scanners/
  secrets.js              # Hardcoded API keys, tokens, connection strings
  dangerous-defaults.js   # Missing auth, rate limiting, CORS, headers
  dangerous-functions.js  # eval, pickle, SQL injection, XSS
  exposed-frontend.js     # Server secrets in client-side code
  permissive-configs.js   # Docker misconfigs
  dependencies.js         # Compromised/deprecated packages
  gitignore.js            # Missing .gitignore entries
  hallucinated-packages.js # AI-hallucinated npm/PyPI packages
  auth-flow.js            # Broken auth patterns
  vibe-patterns.js        # AI-code-specific antipatterns
  nextjs.js               # Next.js framework rules
  supabase.js             # Supabase security rules
  firebase.js             # Firebase security rules

Contributing

Contributions welcome! If you've found a vulnerability pattern that AI tools commonly introduce, open a PR to add it.

  1. Add your pattern to the relevant scanner in src/scanners/
  2. Add a test case in test/test.js
  3. Run npm test to verify
  4. Open a PR with a description of the real-world scenario this catches

License

MIT