Thanks for your interest in improving security for AI coding agents.
git clone https://github.com/kobzevvv/vibe-sec.git
cd vibe-sec
npm install# Run scanner (static checks only)
npm run scan-logs:static
# Run report server
npm run report
# Install hook guard locally
npm run install-hooks
# Run dirty machine tests
./test/dirty-machine/setup-macos.sh
npm run scan-logs:static
./test/dirty-machine/teardown.sh- One concern per PR — don't mix features with bug fixes
- Test your changes — run
npm run scan-logs:staticbefore submitting - Security-critical changes — if your PR affects hook.mjs or detection patterns, explain the security implications
- No secrets — never commit real credentials, even in tests. Use obviously fake values with
TESTFIXTUREmarkers
- ES modules (
import/export) - Minimal dependencies (prefer Node.js built-ins)
- Functions should be under 100 lines where possible
- Comments for non-obvious security logic
- Windows support — see issue #8
- New detection patterns — if you find a secret format we don't catch
- False positive reports — if a legitimate command gets blocked
- Documentation — improving examples and guides
If you find a security vulnerability, do NOT open a public issue. See SECURITY.md.