Security audit for the app your AI just shipped.
vibe-sec scans vibe-coded apps for the predictable security gaps AI prototyping leaves behind — secrets in source, sketchy auth, stale dependencies, open CORS — and generates fixes proportional to what your app actually needs. For solo builders shipping fast and not wanting to get burned.
Includes9 commands · 10 skills
ValidatedA real Firebase app.
The predictable fingerprint of an AI-built app — found and fixed.
When an LLM builds your app, it optimizes for a working demo. vibe-sec classifies the gap between that and a deployable system, then works through it systematically — deferring to gitleaks, OSV-Scanner, and Semgrep when they're installed, and falling back to an in-house baseline when they're not.
Fast secret scan.
Defers to gitleaks / trufflehog when present, runs an in-house Layer A scanner when not. Classifies the app first so every finding is weighted by deployment tier, not an abstract ideal.
Full tier-calibrated audit.
One pass across all ten concerns — secrets, dependencies, supply chain, config posture, crypto/PII, auth, the OWASP top 10, rate-limiting, and more — resolved into a single report across four severity bands.
Dependency + supply-chain check.
CVE cross-reference against direct and transitive deps, lockfile integrity, pinned-vs-floating audit, and typosquat detection — fast enough to run on every change.
Confidence-routed remediation.
Automated for high-confidence hygiene (gitignore entries, security headers, secrets out of source); guided templates for architectural issues. Destructive actions are gated behind explicit overrides.
CI pass/fail gate.
Exit codes 0/1/2 against your app's tier, with GitHub Actions annotations. Drops into a workflow without configuration.
Threat-model synthesis.
STRIDE / DREAD analysis from your app's real surface area. Outputs a Mermaid diagram plus Threat Dragon JSON you can open and edit.
Three more commands.
Run any directly — no scan required.Router. State-aware next-step for your security posture.
Read-only tier-aware summary from cached state — no re-scan.
Re-run one concern's domain research to refresh the living briefs.
Three layers, one classifier, fixes you can ship.
vibe-sec separates security into three layers that compound. Hygiene is fully automatable: secrets out of source, headers added, CORS locked down. Architecture requires understanding how the app is built — does the auth actually protect the routes it claims to? Threat modeling asks what the realistic attack vectors are given this app's deployment context, and proposes a model for you to validate.
The classifier is what keeps it from being generic. The same finding — say, missing rate limiting — might be critical for a payment API and informational for a personal static site. vibe-sec classifies your app first (prototype → regulated enterprise); the tier sets the bar, not a one-size-fits-all checklist.
Install.
Stable marketplace
Nine commands, tier-aware. Latest main from the vibe-sec repo; a tagged release promotes it to the aggregated vibe-plugins marketplace.
/plugin marketplace add estevanhernandez-stack-ed/vibe-sec /plugin install vibe-sec
Prefer a standalone binary for CI? npm install -g @esthernandez/vibe-sec-cli runs the secret scanner with no Claude Code required. vibe-sec defers to gitleaks, OSV-Scanner, and Semgrep when they're present.
One plugin in a family.
Vibe Plugins are a coordinated family — installed independently, composed when present.
