vibe-secure 1.0.0

package/CHECKLIST.md

@@ -0,0 +1,12 @@
+# Top 10 Dangerous Things to Check For
+
+1.  **API keys in code** (like `const key = "sk_live_123"`)
+2.  **Passwords hardcoded**
+3.  **Database URLs exposed**
+4.  **Unsafe API endpoints** (no authentication)
+5.  **Missing input validation**
+6.  **SQL injection risks**
+7.  **Suspicious npm packages**
+8.  **Missing error handling**
+9.  **Exposed environment variables**
+10. **Insecure file uploads**

package/README.md

@@ -0,0 +1,80 @@
+Vibe Secure
+===========
+
+> The security scanner for AI-generated applications.
+
+Vibe Secure is a lightweight, CLI-based security scanner designed for the "vibe coding" era. It catches common mistakes that AI coding assistants (like ChatGPT, Claude, or Cursor) might accidentally leave behind in your React, Node.js, and Next.js applications.
+
+![License](https://img.shields.io/badge/license-MIT-blue.svg)
+
+Features
+--------
+
+- Zero Config: Just run it. No complex setup files.
+- Security Checks: Scans for common errors:
+    - Hardcoded Secrets: API keys (Stripe, AWS, OpenAI, etc.).
+    - Exposed Databases: Postgres, MongoDB, Redis connection strings.
+    - Unsafe Endpoints: Risky API routes (POST/DELETE) lacking authentication middleware.
+    - SQL Injection: Detects unsafe string concatenation in SQL queries.
+    - XSS Vulnerabilities: Detects dangerous React patterns.
+- Clean Output: Readable CLI reports with clickable file links.
+
+How it Works
+------------
+
+Vibe Secure is a static analysis tool, not an AI model.
+
+1.  Fast and Privacy-First: It runs entirely on your machine. No code leaves your computer.
+2.  Pattern Matching: It uses Regular Expressions (Regex) and heuristic rules to find patterns that look dangerous.
+3.  Deterministic: Unlike AI models which can hallucinate, this tool uses rigid pattern matching to identify specific security violations.
+
+Usage
+-----
+
+You can run Vibe Secure directly in your project using npx:
+
+```bash
+npx vibe-secure
+```
+
+Or install it globally:
+
+```bash
+npm install -g vibe-secure
+vibe-secure
+```
+
+Run on a specific folder:
+
+```bash
+vibe-secure ./src/api
+```
+
+What it Checks
+--------------
+
+| Check Type | Description |
+| :--- | :--- |
+| Secrets | Scans for sk_live_, AWS_ACCESS_KEY, and other credential patterns. |
+| Databases | Detects hardcoded connection strings like postgres:// or mongodb+srv://. |
+| Auth | Flags API routes like app.delete('/user/:id') that appear to have no middleware. |
+| SQL Injection | Flags SELECT statements using string concatenation or template literals. |
+| XSS | Flags dangerouslySetInnerHTML, javascript: links, and eval(). |
+
+Development
+-----------
+
+1.  Clone the repo
+2.  Install dependencies:
+    ```bash
+    npm install
+    ```
+3.  Run the scanner on itself:
+    ```bash
+    node index.js
+    ```
+
+License
+-------
+
+MIT.

package/index.js

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+
+const { Command } = require('commander');
+const chalk = require('chalk');
+const figlet = require('figlet');
+const { scanFolder } = require('./src/scanner');
+const { checkForSecrets } = require('./src/checks/secrets');
+const { checkForDatabaseUrls } = require('./src/checks/dbCheck');
+const { checkForUnsafeEndpoints } = require('./src/checks/endpointCheck');
+const { checkForSqlInjection } = require('./src/checks/sqlInjection.js');
+const { checkForDangerousReact } = require('./src/checks/unsafeReact.js');
+const fs = require('fs').promises;
+const path = require('path');
+
+const program = new Command();
+
+console.log(chalk.cyan(figlet.textSync('Vibe Secure', { horizontalLayout: 'full' })));
+
+program
+  .version('1.0.0')
+  .description('Security scanner for vibe-coded AI applications')
+  .argument('[directory]', 'Directory to scan', '.')
+  .action(async (directory) => {
+    const targetDir = path.resolve(directory);
+    console.log(chalk.blue(`\n🔍 Scanning directory: ${targetDir}\n`));
+
+    try {
+      const files = await scanFolder(targetDir);
+      
+      if (files.length === 0) {
+        console.log(chalk.yellow('⚠️  No relevant implementation files found (.js, .jsx, .ts, .tsx).'));
+        return;
+      }
+
+      console.log(chalk.gray(`Found ${files.length} files to check...`));
+      
+      let allIssues = [];
+
+      for (const file of files) {
+        // Skip scanning the checker files themselves to avoid false positives during dev
+        if (file.includes('src/checks/')) continue;
+
+        const content = await fs.readFile(file, 'utf8');
+        const relativePath = path.relative(process.cwd(), file);
+        
+        const issues = [
+          ...checkForSecrets(content, relativePath),
+          ...checkForDatabaseUrls(content, relativePath),
+          ...checkForUnsafeEndpoints(content, relativePath),
+          ...checkForSqlInjection(content, relativePath),
+          ...checkForDangerousReact(content, relativePath)
+        ];
+        
+        allIssues = [...allIssues, ...issues];
+      }
+
+      console.log(chalk.gray('────────────────────────────────────────'));
+
+      if (allIssues.length > 0) {
+        console.log(chalk.red(`\n❌ Scan failed! Found ${allIssues.length} issues:\n`));
+        
+        allIssues.forEach(issue => {
+          const color = issue.type === 'Critical' ? chalk.red.bold : chalk.yellow.bold;
+          
+          // Standard terminal format: /absolute/path/to/file:line:col
+          // VS Code and other terminals auto-link this pattern to open the file at the line
+          const absolutePath = path.resolve(process.cwd(), issue.file);
+          
+          console.log(`${color(`[${issue.type}]`)} ${chalk.underline(`${absolutePath}:${issue.line}:1`)}`);
+          console.log(`  ${chalk.yellow(issue.message)}`);
+          console.log(`  ${chalk.gray('>')} ${chalk.cyan(issue.code.substring(0, 60))}${issue.code.length > 60 ? '...' : ''}\n`);
+        });
+        
+        console.log(chalk.red(`\n💥 Fix these ${allIssues.length} issues before shipping!`));
+        process.exit(1);
+      } else {
+        console.log(chalk.green('\n✨ Vibes are pristine! No obvious security issues found.'));
+        console.log(chalk.green('🚀 Ready to ship!'));
+      }
+      
+    } catch (error) {
+      console.error(chalk.red('\n❌ Error scanning folder:'), error.message);
+      process.exit(1);
+    }
+  });
+
+program.parse(process.argv);
+

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "vibe-secure",
+  "version": "1.0.0",
+  "description": "The security scanner for AI-generated applications code",
+  "bin": {
+    "vibe-secure": "index.js"
+  },
+  "main": "index.js",
+  "scripts": {
+    "test": "node index.js"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "ai",
+    "vibe-coding",
+    "cli"
+  ],
+  "author": "Vibe Secure Team",
+  "license": "MIT",
+  "type": "commonjs",
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^14.0.2",
+    "figlet": "^1.10.0"
+  }
+}

package/src/checks/dbCheck.js

@@ -0,0 +1,30 @@
+/**
+ * Checks for exposed database URLs
+ * @param {string} content - File content
+ * @param {string} filePath - Path to file
+ * @returns {Array} - Array of issues found
+ */
+function checkForDatabaseUrls(content, filePath) {
+  const issues = [];
+  const lines = content.split('\n');
+
+  // postgres://user:password@localhost:5432/mydb
+  // mongodb+srv://user:password@cluster.mongodb.net
+  const dbPattern = /((postgres|mysql|mongodb|redis)(\+[a-z]+)?):\/\/[a-zA-Z0-9_]+:[^@]+@/i;
+
+  lines.forEach((line, index) => {
+    if (dbPattern.test(line) && !line.includes('process.env')) {
+      issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Critical',
+        message: 'Exposed Database Connection String',
+        code: line.trim()
+      });
+    }
+  });
+
+  return issues;
+}
+
+module.exports = { checkForDatabaseUrls };

package/src/checks/endpointCheck.js

@@ -0,0 +1,41 @@
+/**
+ * Checks for potentially unsafe API endpoints (no auth)
+ * @param {string} content - File content
+ * @param {string} filePath - Path to file
+ * @returns {Array} - Array of issues found
+ */
+function checkForUnsafeEndpoints(content, filePath) {
+  const issues = [];
+  const lines = content.split('\n');
+
+  // Look for Express/Next.js route definitions
+  // app.get('/api/users', (req, res) => ...)
+  // export default function handler(req, res) ...
+  
+  // This is a naive check: looks for route definitions that DON'T look like they use middleware
+  // Or simply flagging all routes for manual review (which might be too noisy)
+  
+  // Better approach for "vibe coded" apps: Look for 'delete' or 'update' routes without some 'auth' keyword nearby
+  
+  lines.forEach((line, index) => {
+    // Check for dangerous operations
+    if ((line.includes('app.delete') || line.includes('app.post') || line.includes('app.put')) && 
+        !line.includes('auth') && 
+        !line.includes('middleware') &&
+        !line.includes('verify')) {
+      
+      // Look ahead a few lines for auth checks? (Start simple)
+       issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Warning',
+        message: 'Potential Unsafe Endpoint (Mutation without Auth)',
+        code: line.trim()
+      });
+    }
+  });
+
+  return issues;
+}
+
+module.exports = { checkForUnsafeEndpoints };

package/src/checks/secrets.js

@@ -0,0 +1,39 @@
+/**
+ * Checks for common hardcoded secrets and patterns
+ * @param {string} content - File content
+ * @param {string} filePath - Path to file
+ * @returns {Array} - Array of issues found
+ */
+function checkForSecrets(content, filePath) {
+  const issues = [];
+  const lines = content.split('\n');
+
+  const patterns = [
+    { name: 'Stripe Secret Key', regex: /sk_live_[a-zA-Z0-9]{24}/ },
+    { name: 'Generic API Key', regex: /api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/i },
+    { name: 'Hardcoded Password', regex: /password\s*[:=]\s*['"][^'"]{6,}['"]/i },
+    { name: 'AWS Access Key', regex: /AKI[A-Z0-9]{17}/ },
+    { name: 'Private Key Block', regex: /-----BEGIN PRIVATE KEY-----/ }
+  ];
+
+  lines.forEach((line, index) => {
+    // Basic check for very long strings that look like keys (entropy check heuristic simplified)
+    // Only check lines that look like assignments
+    
+    for (const pattern of patterns) {
+      if (pattern.regex.test(line)) {
+        issues.push({
+          file: filePath,
+          line: index + 1,
+          type: 'Critical',
+          message: `Possible ${pattern.name} found`,
+          code: line.trim()
+        });
+      }
+    }
+  });
+
+  return issues;
+}
+
+module.exports = { checkForSecrets };

package/src/checks/sqlInjection.js

@@ -0,0 +1,48 @@
+/**
+ * Checks for potential SQL injection vulnerabilities
+ * @param {string} content - File content
+ * @param {string} filePath - Path to file
+ * @returns {Array} - Array of issues found
+ */
+function checkForSqlInjection(content, filePath) {
+  const issues = [];
+  const lines = content.split('\n');
+
+  // Regex to look for:
+  // 1. Strings starting with SELECT/INSERT/UPDATE/DELETE (case insensitive)
+  // 2. That contain variable interpolation ${...} or string concatenation ' + '
+  
+  // Heuristic:
+  // const query = `SELECT * FROM users WHERE id = ${id}`;  <-- BAD
+  // db.query('SELECT * FROM users WHERE id = ' + id);      <-- BAD
+  
+  lines.forEach((line, index) => {
+    // Check for template literal interpolation in SQL strings
+    if (/\`\s*(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\s+.*?\$\{.*?\}/i.test(line)) {
+      issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Critical',
+        message: 'Potential SQL Injection (Template Literal)',
+        code: line.trim()
+      });
+    }
+
+    // Check for string concatenation in SQL strings (simple check)
+    // Matches: 'SELECT ... ' + variable
+    if (/['"]\s*(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\s+.*?['"]\s*\+/i.test(line) || 
+        /\+\s*['"]\s*(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\s+.*?['"]/i.test(line)) {
+      issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Critical',
+        message: 'Potential SQL Injection (String Concatenation)',
+        code: line.trim()
+      });
+    }
+  });
+
+  return issues;
+}
+
+module.exports = { checkForSqlInjection };

package/src/checks/unsafeReact.js

@@ -0,0 +1,49 @@
+/**
+ * Checks for dangerous React patterns (XSS risks)
+ * @param {string} content - File content
+ * @param {string} filePath - Path to file
+ * @returns {Array} - Array of issues found
+ */
+function checkForDangerousReact(content, filePath) {
+  const issues = [];
+  const lines = content.split('\n');
+
+  lines.forEach((line, index) => {
+    // 1. dangerouslySetInnerHTML
+    if (line.includes('dangerouslySetInnerHTML')) {
+       issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Warning',
+        message: 'Dangerous React Pattern (XSS Risk)',
+        code: line.trim()
+      });
+    }
+
+    // 2. javascript: URIs in href or src
+    if (/['"]javascript:/i.test(line)) {
+      issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Critical',
+        message: 'Inline JavaScript URI (XSS Risk)',
+        code: line.trim()
+      });
+    }
+    
+    // 3. eval()
+    if (/\beval\s*\(/.test(line)) {
+      issues.push({
+        file: filePath,
+        line: index + 1,
+        type: 'Critical',
+        message: 'Use of eval() detected',
+        code: line.trim()
+      });
+    }
+  });
+
+  return issues;
+}
+
+module.exports = { checkForDangerousReact };

package/src/scanner.js

@@ -0,0 +1,26 @@
+const fs = require('fs').promises;
+const path = require('path');
+
+async function scanFolder(dir, fileList = []) {
+  const files = await fs.readdir(dir);
+
+  for (const file of files) {
+    const filePath = path.join(dir, file);
+    const stat = await fs.stat(filePath);
+
+    if (stat.isDirectory()) {
+      if (file !== 'node_modules' && file !== '.git') {
+        await scanFolder(filePath, fileList);
+      }
+    } else {
+      const ext = path.extname(file).toLowerCase();
+      if (['.js', '.jsx', '.ts', '.tsx'].includes(ext)) {
+        fileList.push(filePath);
+      }
+    }
+  }
+
+  return fileList;
+}
+
+module.exports = { scanFolder };