Security Rules

AI tools write incredible code in seconds. But just like a fast writer can make typos, AI can accidentally write security holes. Here is what VibeGuard catches.

What VibeGuard Catches

πŸ”‘ Exposed Secrets

Did the AI accidentally paste a real password or AWS API key into the source code? VibeGuard detects high-entropy strings and known key patterns.

πŸ’‰ SQL Injection

Did the AI write a raw database query using unsanitized string concatenation that a hacker could exploit to drop your database?

πŸ”“ Missing Login Walls

Did the AI create an administrative endpoint (like /api/admin) but forget to wrap it in an authentication middleware check?

πŸ•ΈοΈ XSS & Path Traversal

Did the AI write unsanitized dynamic scripts or unsafe local file handlers using user input?

πŸ’» Command Injection & SSRF

Did the AI pass raw user input into OS commands (exec, spawn) or internal network requests (fetch)?

πŸ€– AI Hallucinations

Did the AI import a package that doesn't actually exist on NPM? Hackers love to claim these hallucinated package names and inject malware.

Inline Ignore Comments

Sometimes VibeGuard flags a false positive, or you have a legitimate reason to break a rule. You can bypass a rule by dropping an ignore comment above the line:

// vibeguard-disable-next-line secrets:aws-access-key
const KEY = "AKIAIOSFODNN7EXAMPLE";