vibesec 0.1.0__py3-none-any.whl

vibesec/__init__.py

@@ -0,0 +1,2 @@
+__version__ = "0.1.0"
+__author__ = "Ayush Khati"

vibesec/cli.py

@@ -0,0 +1,37 @@
+import click
+from vibesec.scanner import Scanner
+from vibesec.reporter import Reporter
+
+@click.group()
+@click.version_option(version="0.1.0")
+def cli():
+    """VibeSec — Security scanner for AI-generated code."""
+    pass
+
+@cli.command()
+@click.argument("path")
+@click.option("--fix", is_flag=True, help="Generate fix suggestions using Groq AI")
+@click.option("--output", type=click.Choice(["terminal", "json"]), default="terminal")
+@click.option("--severity", type=click.Choice(["critical", "high", "medium", "low"]), default=None)
+def scan(path, fix, output, severity):
+    """Scan a directory or file for security vulnerabilities."""
+    
+    reporter = Reporter()
+    reporter.print_banner()
+    
+    scanner = Scanner(path)
+    findings = scanner.run()
+    
+    if severity:
+        findings = [f for f in findings if f["severity"].lower() == severity]
+    
+    if output == "json":
+        reporter.print_json(findings)
+    else:
+        reporter.print_report(findings, path, fix)
+
+def main():
+    cli()
+
+if __name__ == "__main__":
+    main()

vibesec/fixgen.py

@@ -0,0 +1,40 @@
+import os
+from groq import Groq
+from dotenv import load_dotenv
+
+load_dotenv()
+
+
+def generate_fix(finding: dict) -> str:
+    """Generate an AI-powered fix suggestion for a security finding."""
+    
+    api_key = os.environ.get("GROQ_API_KEY")
+    if not api_key:
+        return "Set GROQ_API_KEY environment variable to enable AI fix suggestions."
+
+    try:
+        client = Groq(api_key=api_key)
+
+        prompt = f"""You are a security expert. A vulnerability was found in code.
+
+Rule: {finding['rule']}
+Severity: {finding['severity']}
+File: {finding['file']}
+Issue: {finding['message']}
+Code: {finding.get('code_snippet', 'N/A')}
+
+Give a specific, concise fix in 2-3 sentences maximum.
+Show a corrected code example if possible.
+Be direct — no preamble, no "I recommend", just the fix."""
+
+        response = client.chat.completions.create(
+            model="llama-3.1-8b-instant",
+            messages=[{"role": "user", "content": prompt}],
+            max_tokens=150,
+            temperature=0.1,
+        )
+
+        return response.choices[0].message.content.strip()
+
+    except Exception as e:
+        return f"Could not generate fix: {str(e)}"

vibesec/reporter.py

@@ -0,0 +1,102 @@
+import json
+from rich.console import Console
+from rich.table import Table
+from rich.panel import Panel
+from rich.text import Text
+from rich import box
+
+console = Console()
+
+SEVERITY_COLORS = {
+    "CRITICAL": "bold red",
+    "HIGH": "bold yellow",
+    "MEDIUM": "bold orange3",
+    "LOW": "bold green",
+}
+
+SEVERITY_ORDER = {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3}
+
+
+class Reporter:
+
+    def print_banner(self):
+        console.print()
+        console.print(Panel(
+            "[bold cyan]VibeSec v0.1.0[/bold cyan] — [dim]AI-Generated Code Security Scanner[/dim]",
+            border_style="cyan",
+            expand=False
+        ))
+        console.print()
+
+    def print_report(self, findings, path, fix=False):
+        if not findings:
+            console.print(Panel(
+                "[bold green]✓ No vulnerabilities found![/bold green]\n"
+                "[dim]VibeSec checked 10 vulnerability patterns.[/dim]",
+                border_style="green"
+            ))
+            return
+
+        # Sort by severity
+        findings.sort(key=lambda x: SEVERITY_ORDER.get(x["severity"], 99))
+
+        # Summary
+        counts = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
+        for f in findings:
+            counts[f["severity"]] = counts.get(f["severity"], 0) + 1
+
+        summary = Table(box=box.SIMPLE, show_header=False, padding=(0, 2))
+        summary.add_column(style="bold")
+        summary.add_column()
+
+        for severity, count in counts.items():
+            if count > 0:
+                color = SEVERITY_COLORS[severity]
+                summary.add_row(
+                    f"[{color}]● {severity}[/{color}]",
+                    f"[{color}]{count} finding{'s' if count > 1 else ''}[/{color}]"
+                )
+
+        console.print(Panel(summary, title="[bold]FINDINGS SUMMARY[/bold]",
+                           border_style="dim"))
+
+        # Generate AI fixes if requested
+        if fix:
+            from vibesec.fixgen import generate_fix
+            console.print("\n  [cyan]Generating AI fix suggestions...[/cyan]\n")
+            for finding in findings:
+                finding["groq_fix"] = generate_fix(finding)
+
+        # Individual findings
+        for i, finding in enumerate(findings, 1):
+            severity = finding["severity"]
+            color = SEVERITY_COLORS[severity]
+
+            console.print()
+            console.print(f"  [{color}]{severity}[/{color}] — "
+                         f"[bold white]{finding['rule']}[/bold white]")
+            console.print(f"  [dim]File: {finding['file']}  "
+                         f"Line: {finding.get('line', 'N/A')}[/dim]")
+            console.print(f"  [red]Found:[/red] {finding['message']}")
+            console.print(f"  [green]Fix:[/green]   {finding['fix_hint']}")
+
+            if fix and finding.get("groq_fix"):
+                console.print(
+                    f"  [cyan]AI Fix:[/cyan] {finding['groq_fix']}"
+                )
+
+        # Footer
+        console.print()
+        console.print(
+            f"  [dim]{len(findings)} finding{'s' if len(findings) > 1 else ''} "
+            f"in {path}[/dim]"
+        )
+        if not fix:
+            console.print(
+                "  [dim]Run with [/dim][cyan]--fix[/cyan]"
+                "[dim] for AI-powered remediation suggestions[/dim]"
+            )
+        console.print()
+
+    def print_json(self, findings):
+        console.print(json.dumps(findings, indent=2))

vibesec/rules/__init__.py

@@ -0,0 +1,23 @@
+from vibesec.rules.secrets import check_secrets
+from vibesec.rules.rls import check_rls
+from vibesec.rules.auth_routes import check_auth_routes
+from vibesec.rules.packages import check_packages
+from vibesec.rules.sourcemaps import check_sourcemaps
+from vibesec.rules.jwt import check_jwt
+from vibesec.rules.xss import check_xss
+from vibesec.rules.roles import check_roles
+from vibesec.rules.webhooks import check_webhooks
+from vibesec.rules.cors import check_cors
+
+ALL_RULES = [
+	check_secrets,
+	check_rls,
+	check_auth_routes,
+	check_packages,
+	check_sourcemaps,
+	check_jwt,
+	check_xss,
+	check_roles,
+	check_webhooks,
+	check_cors,
+]

vibesec/rules/auth_routes.py

@@ -0,0 +1,67 @@
+import re
+
+RULE_NAME = "Missing Route Authentication"
+SEVERITY = "HIGH"
+
+# Routes that look like admin or sensitive endpoints
+SENSITIVE_ROUTE_PATTERNS = [
+    r'@app\.route\s*\(\s*["\'][^"\']*admin[^"\']*["\']',
+    r'@app\.route\s*\(\s*["\'][^"\']*delete[^"\']*["\']',
+    r'@app\.route\s*\(\s*["\'][^"\']*\/api\/user[^"\']*["\']',
+    r'router\.(post|put|delete|patch)\s*\(\s*["\'][^"\']*admin[^"\']*["\']',
+    r'app\.(post|put|delete|patch)\s*\(\s*["\'][^"\']*admin[^"\']*["\']',
+]
+
+# Auth decorators/middleware that make a route safe
+AUTH_INDICATORS = [
+    "login_required",
+    "jwt_required",
+    "auth_required",
+    "verify_token",
+    "authenticate",
+    "authorization",
+    "requireAuth",
+    "withAuth",
+    "middleware",
+    "session",
+    "getServerSession",
+    "currentUser",
+    "verifyJWT",
+]
+
+
+def check_auth_routes(file_path, content):
+    findings = []
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"py", "js", "ts", "jsx", "tsx"}:
+        return findings
+
+    lines = content.splitlines()
+
+    for line_num, line in enumerate(lines, 1):
+        for pattern in SENSITIVE_ROUTE_PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                # Check surrounding lines (5 above, 10 below) for auth indicators
+                start = max(0, line_num - 5)
+                end = min(len(lines), line_num + 10)
+                surrounding = "\n".join(lines[start:end]).lower()
+
+                has_auth = any(
+                    indicator.lower() in surrounding
+                    for indicator in AUTH_INDICATORS
+                )
+
+                if not has_auth:
+                    findings.append({
+                        "rule": RULE_NAME,
+                        "severity": SEVERITY,
+                        "file": file_path,
+                        "line": line_num,
+                        "message": "Sensitive route defined without visible auth middleware",
+                        "fix_hint": "Add authentication decorator or middleware before this route handler.",
+                        "code_snippet": line.strip()[:80],
+                    })
+                break
+
+    return findings

vibesec/rules/cors.py

@@ -0,0 +1,74 @@
+import re
+
+RULE_NAME = "Permissive CORS Configuration"
+SEVERITY = "MEDIUM"
+
+PATTERNS = [
+    (r'origin\s*:\s*["\']?\*["\']?',
+     "CORS wildcard origin — any domain can make requests"),
+    (r'Access-Control-Allow-Origin.*\*',
+     "CORS wildcard in response header"),
+    (r'cors\(\s*\)',
+     "CORS enabled with no configuration — defaults to wildcard"),
+    (r'allowedOrigins\s*[:=]\s*\[?\s*["\']?\*',
+     "CORS allowed origins set to wildcard"),
+    (r'credentials.*true.*\*|\*.*credentials.*true',
+     "CORS wildcard with credentials — critical misconfiguration"),
+]
+
+SAFE_INDICATORS = [
+    "process.env",
+    "ALLOWED_ORIGINS",
+    "whitelist",
+    "allowlist",
+    "origins.includes",
+    "origin ===",
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_cors(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"py", "js", "ts", "jsx", "tsx"}:
+        return findings
+
+    if "cors" not in content.lower() and "origin" not in content.lower():
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("//") or stripped.startswith("#"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                start = max(0, line_num - 5)
+                end = min(len(lines), line_num + 5)
+                surrounding = "\n".join(lines[start:end])
+
+                is_safe = any(
+                    indicator in surrounding
+                    for indicator in SAFE_INDICATORS
+                )
+
+                if not is_safe:
+                    findings.append({
+                        "rule": RULE_NAME,
+                        "severity": SEVERITY,
+                        "file": file_path,
+                        "line": line_num,
+                        "message": description,
+                        "fix_hint": "Specify exact allowed origins. Never use wildcard CORS with credentials enabled.",
+                        "code_snippet": line.strip()[:80],
+                    })
+                break
+
+    return findings

vibesec/rules/jwt.py

@@ -0,0 +1,52 @@
+import re
+
+RULE_NAME = "Unsafe JWT Handling"
+SEVERITY = "HIGH"
+
+PATTERNS = [
+    (r'jwt\.decode\s*\([^)]*algorithms\s*=\s*\[["\']none["\']\]',
+     "JWT accepts 'none' algorithm — critical auth bypass"),
+    (r'verify\s*=\s*False',
+     "JWT verification explicitly disabled"),
+    (r'localStorage\.setItem\s*\([^)]*token',
+     "JWT stored in localStorage — vulnerable to XSS theft"),
+    (r'sessionStorage\.setItem\s*\([^)]*token',
+     "JWT stored in sessionStorage — vulnerable to XSS theft"),
+    (r'algorithm.*none',
+     "JWT 'none' algorithm detected"),
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_jwt(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"py", "js", "ts", "jsx", "tsx"}:
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("#") or stripped.startswith("//"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": description,
+                    "fix_hint": "Always verify JWT signature. Use httpOnly cookies instead of localStorage.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break
+
+    return findings

vibesec/rules/packages.py

@@ -0,0 +1,83 @@
+import json
+import re
+import requests
+
+RULE_NAME = "Hallucinated Package"
+SEVERITY = "HIGH"
+
+# Known hallucinated package names LLMs commonly generate
+KNOWN_HALLUCINATED = {
+    "react-auth-handler",
+    "supabase-helpers",
+    "express-middleware-auth",
+    "nextjs-utils",
+    "react-secure-storage",
+    "express-auth-jwt",
+    "node-security-utils",
+    "react-api-handler",
+    "next-auth-helpers",
+    "prisma-utils",
+}
+
+
+def check_npm_exists(package_name):
+    """Check if package exists on npm registry."""
+    try:
+        url = f"https://registry.npmjs.org/{package_name}"
+        response = requests.get(url, timeout=3)
+        return response.status_code == 200
+    except Exception:
+        return True  # If we can't check, assume it exists (avoid false positives)
+
+
+def check_packages(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+
+    if filename != "package.json":
+        return findings
+
+    try:
+        data = json.loads(content)
+    except json.JSONDecodeError:
+        return findings
+
+    all_deps = {}
+    all_deps.update(data.get("dependencies", {}))
+    all_deps.update(data.get("devDependencies", {}))
+
+    for package_name in all_deps:
+        # First check known hallucinated list (fast, no API call)
+        if package_name.lower() in KNOWN_HALLUCINATED:
+            findings.append({
+                "rule": RULE_NAME,
+                "severity": SEVERITY,
+                "file": file_path,
+                "line": "N/A",
+                "message": f"'{package_name}' is a known hallucinated package name",
+                "fix_hint": f"Remove '{package_name}' — this package does not exist. Find the correct package on npmjs.com.",
+                "code_snippet": package_name,
+            })
+            continue
+
+        # Check for suspicious patterns
+        suspicious = (
+            re.search(r'(helper|util|handler|wrapper)s?$', package_name, re.I)
+            and not package_name.startswith("@")
+            and len(package_name) > 15
+        )
+
+        if suspicious:
+            if not check_npm_exists(package_name):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": "N/A",
+                    "message": f"'{package_name}' does not exist on npm registry",
+                    "fix_hint": "This package may be hallucinated by an AI tool. Verify on npmjs.com before using.",
+                    "code_snippet": package_name,
+                })
+
+    return findings

vibesec/rules/rls.py

@@ -0,0 +1,51 @@
+import re
+
+RULE_NAME = "Supabase RLS Disabled"
+SEVERITY = "CRITICAL"
+
+PATTERNS = [
+    (r'alter\s+table\s+\w+\s+disable\s+row\s+level\s+security',
+     "RLS explicitly disabled on table"),
+    (r'row\s+level\s+security.*disabled',
+     "Row level security disabled"),
+    (r'\.from\(["\'](\w+)["\']\)\s*\.select',
+     "Supabase query — verify RLS is enabled on this table"),
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_rls(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("--") or stripped.startswith("#"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                # For .select queries, only flag in non-SQL files
+                # SQL files legitimately define RLS
+                if "select" in pattern and ext == "sql":
+                    continue
+
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": description,
+                    "fix_hint": "Enable RLS: ALTER TABLE table_name ENABLE ROW LEVEL SECURITY; then add policies.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break
+
+    return findings

vibesec/rules/roles.py

@@ -0,0 +1,58 @@
+import re
+
+RULE_NAME = "Client-Side Role Trust"
+SEVERITY = "HIGH"
+
+PATTERNS = [
+    (r'localStorage\.getItem\s*\([^)]*role',
+     "Role read from localStorage — can be tampered by user"),
+    (r'localStorage\.getItem\s*\([^)]*admin',
+     "Admin flag read from localStorage — can be tampered by user"),
+    (r'localStorage\.getItem\s*\([^)]*permission',
+     "Permission read from localStorage — can be tampered by user"),
+    (r'if\s*\([^)]*localStorage[^)]*admin',
+     "Admin check using localStorage value — client-side trust"),
+    (r'params\.(role|admin|isAdmin|permission)\s*===',
+     "Role/permission check using URL params — can be manipulated"),
+    (r'searchParams\.(get|role|admin)',
+     "Role read from URL search params — easily manipulated"),
+    (r'isAdmin\s*=\s*.*localStorage',
+     "isAdmin derived from localStorage — insecure"),
+    (r'userRole\s*=\s*.*localStorage',
+     "userRole derived from localStorage — insecure"),
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_roles(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"js", "ts", "jsx", "tsx", "py"}:
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("//") or stripped.startswith("#"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": description,
+                    "fix_hint": "Always verify roles server-side. Never trust client-provided role values.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break
+
+    return findings

vibesec/rules/secrets.py

@@ -0,0 +1,59 @@
+import re
+
+RULE_NAME = "Hardcoded Secret"
+SEVERITY = "CRITICAL"
+
+# Patterns that indicate hardcoded secrets
+PATTERNS = [
+    (r'api_key\s*=\s*["\'][a-zA-Z0-9_\-]{16,}["\']', "Hardcoded API key"),
+    (r'api_secret\s*=\s*["\'][a-zA-Z0-9_\-]{16,}["\']', "Hardcoded API secret"),
+    (r'password\s*=\s*["\'][^"\']{6,}["\']', "Hardcoded password"),
+    (r'secret_key\s*=\s*["\'][^"\']{8,}["\']', "Hardcoded secret key"),
+    (r'sk-[a-zA-Z0-9]{48}', "OpenAI API key"),
+    (r'ghp_[a-zA-Z0-9]{36}', "GitHub personal access token"),
+    (r'SUPABASE_SERVICE_KEY\s*=\s*["\'][^"\']+["\']', "Supabase service key exposed"),
+    (r'SUPABASE_SECRET\s*=\s*["\'][^"\']+["\']', "Supabase secret exposed"),
+    (r'stripe[_\s]secret\s*=\s*["\'][^"\']+["\']', "Stripe secret key"),
+    (r'sk_live_[a-zA-Z0-9]{24,}', "Stripe live secret key"),
+    (r'AUTH_SECRET\s*=\s*["\'][^"\']{8,}["\']', "Auth secret hardcoded"),
+    (r'DATABASE_URL\s*=\s*["\']postgresql://[^"\']+["\']', "Database URL with credentials"),
+]
+
+# Files to skip — these are expected to have these patterns
+SKIP_FILES = {
+    ".env.example", ".env.sample", ".env.template",
+    "README.md", "readme.md", ".gitignore"
+}
+
+
+def check_secrets(file_path, content):
+    findings = []
+
+    # Skip example/template files
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    # Skip .env files that are in .gitignore — but still flag if exposed
+    lines = content.splitlines()
+
+    for line_num, line in enumerate(lines, 1):
+        # Skip comments
+        stripped = line.strip()
+        if stripped.startswith("#") or stripped.startswith("//"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": f"{description} detected in source code",
+                    "fix_hint": "Move to environment variables. Never commit secrets to git.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break  # One finding per line is enough
+
+    return findings

vibesec/rules/sourcemaps.py

@@ -0,0 +1,66 @@
+import re
+import os
+
+RULE_NAME = "Source Map Exposure"
+SEVERITY = "HIGH"
+
+PATTERNS = [
+    (r'["\']?sourceMap["\']?\s*[:=]\s*true', "Source maps enabled in build config"),
+    (r'GENERATE_SOURCEMAP\s*=\s*true', "Create React App source maps enabled"),
+    (r'devtool\s*:\s*["\']source-map["\']', "Webpack source-map devtool enabled"),
+    (r'\"source-map\"', "Source map configuration detected"),
+]
+
+
+def check_sourcemaps(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    ext = file_path.split(".")[-1].lower()
+
+    # Check .map files committed to repo
+    if filename.endswith(".map"):
+        # Check if it's in a build/dist directory
+        if any(d in file_path for d in ["dist/", "build/", ".next/", "out/"]):
+            findings.append({
+                "rule": RULE_NAME,
+                "severity": SEVERITY,
+                "file": file_path,
+                "line": "N/A",
+                "message": "Source map file committed to repository — exposes full source code",
+                "fix_hint": "Add *.map to .gitignore. Set sourceMap: false in production builds.",
+                "code_snippet": filename,
+            })
+        return findings
+
+    # Check build config files
+    config_files = {
+        "webpack.config.js", "webpack.config.ts",
+        "next.config.js", "next.config.ts",
+        "vite.config.js", "vite.config.ts",
+        ".env", ".env.production", ".env.prod"
+    }
+
+    if filename not in config_files and ext not in {"json"}:
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("//") or stripped.startswith("#"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": description,
+                    "fix_hint": "Set sourceMap: false in production. Use hidden-source-map if debugging is needed.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break
+
+    return findings

vibesec/rules/webhooks.py

@@ -0,0 +1,77 @@
+import re
+
+RULE_NAME = "Missing Webhook Verification"
+SEVERITY = "MEDIUM"
+
+PATTERNS = [
+    (r'stripe\.webhooks(?!.*constructEvent)',
+     "Stripe webhook used without constructEvent signature verification"),
+    (r'req\.body.*stripe(?!.*stripe-signature)',
+     "Stripe webhook body read without signature header check"),
+    (r'x-github-event(?!.*x-hub-signature)',
+     "GitHub webhook received without hub signature verification"),
+    (r'webhook.*payload(?!.*secret)',
+     "Webhook payload processed without secret verification"),
+]
+
+# Positive indicators that webhook IS being verified
+SAFE_INDICATORS = [
+    "constructEvent",
+    "stripe-signature",
+    "x-hub-signature",
+    "webhook_secret",
+    "WEBHOOK_SECRET",
+    "verifySignature",
+    "crypto.timingSafeEqual",
+    "hmac",
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_webhooks(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"py", "js", "ts", "jsx", "tsx"}:
+        return findings
+
+    # Only scan files that mention webhooks
+    if "webhook" not in content.lower() and "stripe" not in content.lower():
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("//") or stripped.startswith("#"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                # Check surrounding context for safe indicators
+                start = max(0, line_num - 10)
+                end = min(len(lines), line_num + 10)
+                surrounding = "\n".join(lines[start:end])
+
+                is_safe = any(
+                    indicator in surrounding
+                    for indicator in SAFE_INDICATORS
+                )
+
+                if not is_safe:
+                    findings.append({
+                        "rule": RULE_NAME,
+                        "severity": SEVERITY,
+                        "file": file_path,
+                        "line": line_num,
+                        "message": description,
+                        "fix_hint": "Verify webhook signatures using the provider's SDK. For Stripe use stripe.webhooks.constructEvent().",
+                        "code_snippet": line.strip()[:80],
+                    })
+                break
+
+    return findings

vibesec/rules/xss.py

@@ -0,0 +1,56 @@
+import re
+
+RULE_NAME = "Unsafe HTML Injection (XSS)"
+SEVERITY = "MEDIUM"
+
+PATTERNS = [
+    (r'dangerouslySetInnerHTML\s*=\s*\{\s*\{',
+     "dangerouslySetInnerHTML used — potential XSS vulnerability"),
+    (r'dangerouslySetInnerHTML.*\$\{',
+     "dangerouslySetInnerHTML with template literal — XSS risk"),
+    (r'dangerouslySetInnerHTML.*props\.',
+     "dangerouslySetInnerHTML with props value — XSS risk"),
+    (r'dangerouslySetInnerHTML.*state\.',
+     "dangerouslySetInnerHTML with state value — XSS risk"),
+    (r'innerHTML\s*=\s*[^"\'`][^\n]*\+',
+     "innerHTML set with concatenated value — XSS risk"),
+    (r'document\.write\s*\(',
+     "document.write used — XSS risk"),
+    (r'eval\s*\(\s*[^"\'`]',
+     "eval() called with dynamic value — code injection risk"),
+]
+
+SKIP_FILES = {"README.md", "readme.md"}
+
+
+def check_xss(file_path, content):
+    findings = []
+
+    filename = file_path.split("/")[-1].split("\\")[-1]
+    if filename in SKIP_FILES:
+        return findings
+
+    ext = file_path.split(".")[-1].lower()
+    if ext not in {"js", "ts", "jsx", "tsx"}:
+        return findings
+
+    lines = content.splitlines()
+    for line_num, line in enumerate(lines, 1):
+        stripped = line.strip()
+        if stripped.startswith("//"):
+            continue
+
+        for pattern, description in PATTERNS:
+            if re.search(pattern, line, re.IGNORECASE):
+                findings.append({
+                    "rule": RULE_NAME,
+                    "severity": SEVERITY,
+                    "file": file_path,
+                    "line": line_num,
+                    "message": description,
+                    "fix_hint": "Sanitize HTML with DOMPurify before rendering. Avoid dangerouslySetInnerHTML with user input.",
+                    "code_snippet": line.strip()[:80],
+                })
+                break
+
+    return findings

vibesec/scanner.py

@@ -0,0 +1,25 @@
+from vibesec.utils import walk_files, read_file
+from vibesec.rules import ALL_RULES
+
+
+class Scanner:
+
+    def __init__(self, path):
+        self.path = path
+
+    def run(self):
+        findings = []
+        files = list(walk_files(self.path))
+
+        for file_path in files:
+            content = read_file(file_path)
+            if not content:
+                continue
+            for rule in ALL_RULES:
+                try:
+                    results = rule(file_path, content)
+                    findings.extend(results)
+                except Exception:
+                    pass
+
+        return findings

vibesec/utils.py

@@ -0,0 +1,31 @@
+import os
+
+SUPPORTED_EXTENSIONS = {
+    ".py", ".js", ".ts", ".jsx", ".tsx",
+    ".json", ".yaml", ".yml", ".env", ".sql"
+}
+
+def walk_files(path):
+    """Recursively yield all supported files in a directory."""
+    if os.path.isfile(path):
+        yield path
+        return
+    
+    for root, dirs, files in os.walk(path):
+        # Skip common non-code directories
+        dirs[:] = [d for d in dirs if d not in {
+            "node_modules", ".git", "venv", "__pycache__",
+            ".next", "dist", "build", ".venv"
+        }]
+        for file in files:
+            ext = os.path.splitext(file)[1].lower()
+            if ext in SUPPORTED_EXTENSIONS:
+                yield os.path.join(root, file)
+
+def read_file(path):
+    """Read file content safely."""
+    try:
+        with open(path, "r", encoding="utf-8", errors="ignore") as f:
+            return f.read()
+    except Exception:
+        return ""

vibesec-0.1.0.dist-info/METADATA

@@ -0,0 +1,287 @@
+Metadata-Version: 2.4
+Name: vibesec
+Version: 0.1.0
+Summary: Security scanner for AI-generated code
+Author-email: Ayush Khati <ayushiskhati305@gmail.com>
+License: MIT License
+        
+        Copyright (c) 2026 Ayush Khati
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Project-URL: Homepage, https://github.com/AyushkhatiDev/vibesec
+Project-URL: Bug Tracker, https://github.com/AyushkhatiDev/vibesec/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.0
+Requires-Dist: rich>=13.0
+Requires-Dist: requests>=2.28
+Requires-Dist: groq>=0.4.0
+Requires-Dist: python-dotenv>=1.0.0
+Dynamic: license-file
+
+# 🔒 VibeSec
+
+**Security scanner for AI-generated code.**
+
+[![PyPI version](https://badge.fury.io/py/vibesec.svg)](https://badge.fury.io/py/vibesec)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)
+[![GitHub stars](https://img.shields.io/github/stars/AyushkhatiDev/vibesec?style=social)](https://github.com/AyushkhatiDev/vibesec)
+
+45% of AI-generated code ships with critical vulnerabilities. Cursor, Claude Code, Bolt, and Lovable generate insecure patterns that existing tools miss. VibeSec catches them before you deploy.
+
+```
+$ vibesec scan ./my-cursor-app
+
+  VibeSec v0.1.0 — AI-Generated Code Security Scanner
+
+  ● CRITICAL    7 findings
+  ● HIGH        2 findings
+
+  CRITICAL — Hardcoded Secret
+  File: src/lib/supabase.ts  Line: 12
+  Found: SUPABASE_SERVICE_KEY hardcoded in source code
+  Fix:   Move to environment variables. Never commit secrets to git.
+
+  CRITICAL — Supabase RLS Disabled
+  File: supabase/migrations/001_init.sql  Line: 34
+  Found: ALTER TABLE users DISABLE ROW LEVEL SECURITY
+  Fix:   Enable RLS + add user isolation policies.
+
+  9 findings in ./my-cursor-app
+```
+
+---
+
+## Why VibeSec
+
+Existing tools like Semgrep, Snyk, and CodeQL are great — but they were built for human-written code. AI tools generate specific anti-patterns that these scanners miss:
+
+| Pattern | Semgrep | Snyk | VibeSec |
+|---|---|---|---|
+| Hardcoded secrets | ✓ | ✓ | ✓ |
+| Supabase RLS disabled | ✗ | ✗ | ✓ |
+| Hallucinated npm packages | ✗ | ✗ | ✓ |
+| Missing auth on scaffolded routes | Partial | ✗ | ✓ |
+| Source map exposure in build config | ✗ | ✗ | ✓ |
+| AI-specific JWT misuse | ✗ | ✗ | ✓ |
+
+---
+
+## Install
+
+```bash
+pip install vibesec
+```
+
+---
+
+## Usage
+
+**Scan a directory:**
+```bash
+vibesec scan ./my-project
+```
+
+**Scan and get AI-powered fix suggestions:**
+```bash
+vibesec scan ./my-project --fix
+```
+
+**Export results as JSON (for CI/CD):**
+```bash
+vibesec scan ./my-project --output json
+```
+
+**Filter by severity:**
+```bash
+vibesec scan ./my-project --severity critical
+```
+
+**Ignore specific checks:**
+```bash
+vibesec scan ./my-project --ignore rls,cors
+```
+
+---
+
+## What VibeSec Checks
+
+### 🔴 CRITICAL
+
+**1. Hardcoded Secrets**
+API keys, passwords, tokens, and database URLs hardcoded in source files. LLMs replicate tutorial patterns where secrets are hardcoded.
+
+```python
+# VibeSec catches this
+api_key = "sk-abc123..."
+SUPABASE_SERVICE_KEY = "eyJhbGci..."
+stripe_secret = "sk_live_..."
+```
+
+**2. Supabase RLS Disabled**
+Row Level Security disabled — any authenticated user can read or modify all data. LLMs skip RLS to make queries work quickly in scaffolding.
+
+```sql
+-- VibeSec catches this
+ALTER TABLE users DISABLE ROW LEVEL SECURITY;
+```
+
+### 🟡 HIGH
+
+**3. Missing Route Authentication**
+Admin and sensitive API routes scaffolded without authentication middleware. LLMs build the happy path without thinking about access control.
+
+**4. Hallucinated Packages**
+npm packages that don't exist — a typosquatting attack surface. LLMs generate plausible-sounding package names that aren't real.
+
+```json
+// VibeSec catches this
+"react-auth-handler": "^1.0.0",
+"supabase-helpers": "^2.1.0"
+```
+
+**5. Source Map Exposure**
+Build config exposes full source code via `.map` files in production.
+
+### 🟠 MEDIUM
+
+**6. Unsafe JWT Handling** — JWT decoded without verification, or `none` algorithm accepted
+
+**7. dangerouslySetInnerHTML** — Direct HTML injection without sanitization
+
+**8. Client-Side Role Trust** — Admin checks done using `localStorage` values
+
+**9. Missing Webhook Verification** — Stripe/GitHub webhooks without signature check
+
+**10. Permissive CORS** — Wildcard CORS with credentials enabled
+
+---
+
+## GitHub Actions Integration
+
+Add VibeSec to your CI/CD pipeline:
+
+```yaml
+# .github/workflows/vibesec.yml
+name: VibeSec Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+      - name: Install VibeSec
+        run: pip install vibesec
+      - name: Run Security Scan
+        run: vibesec scan . --output json --severity high
+```
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/AyushkhatiDev/vibesec
+cd vibesec
+python -m venv venv
+source venv/bin/activate
+pip install -e ".[dev]"
+pytest tests/
+```
+
+---
+
+## Contributing
+
+VibeSec is open source and contributions are welcome.
+
+**Adding a new rule:**
+1. Create `vibesec/rules/your_rule.py`
+2. Implement `check_your_rule(file_path, content) -> list[dict]`
+3. Register it in `vibesec/rules/__init__.py`
+4. Add test cases in `tests/corpus/`
+5. Open a PR
+
+Each finding must return:
+```python
+{
+    "rule": "Rule Name",
+    "severity": "CRITICAL|HIGH|MEDIUM|LOW",
+    "file": file_path,
+    "line": line_number,
+    "message": "What was found",
+    "fix_hint": "How to fix it",
+    "code_snippet": "offending line"
+}
+```
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for full guide.
+
+---
+
+## Roadmap
+
+- [x] Secrets detection
+- [x] Supabase RLS checker
+- [x] Missing auth on routes
+- [x] Hallucinated package detector
+- [x] Source map exposure
+- [ ] JWT misuse rules
+- [ ] dangerouslySetInnerHTML
+- [ ] Client-side role trust
+- [ ] Webhook verification
+- [ ] Permissive CORS
+- [ ] GitHub Action marketplace listing
+- [ ] Web app (paste URL → get report)
+- [ ] SARIF output for GitHub Security tab
+- [ ] VS Code extension
+
+---
+
+## Built By
+
+[Ayush Khati](https://github.com/AyushkhatiDev) — BCA student building real tools for real problems.
+
+Found a bug? [Open an issue](https://github.com/AyushkhatiDev/vibesec/issues).
+Want a rule added? [Start a discussion](https://github.com/AyushkhatiDev/vibesec/discussions).
+
+---
+
+## License
+
+MIT — free to use, modify, and distribute.
+
+---
+
+<p align="center">
+  <sub>Built because 45% of vibe-coded apps ship with critical vulnerabilities. Someone had to fix that.</sub>
+</p>

vibesec-0.1.0.dist-info/RECORD

@@ -0,0 +1,23 @@
+vibesec/__init__.py,sha256=q31sV8RecGVcenSqZBLbtYG4iVMxR56N-gYs2to9Se8,49
+vibesec/cli.py,sha256=i1B54upXZC0edXgSDYOFvl8rSk1b6eKSbQBGF-4qKGE,1050
+vibesec/fixgen.py,sha256=CU0HFSqVLJvPrNTT1aum8oeTD6J2cG7_YCNV0ISTgsU,1153
+vibesec/reporter.py,sha256=yfr1VQ3Bm58YhNyjFe0htCNZDqw_4VC5MEOe6Mamxuc,3435
+vibesec/scanner.py,sha256=r8NGOBF1SFDUFH0Z5Puf8XvguGrvgr6-94TgVa2cvts,612
+vibesec/utils.py,sha256=Cgpv0zbNeiGH7rQ-n9YOfySLoeTErB60QJ5ObRmihXE,905
+vibesec/rules/__init__.py,sha256=F69yiHp72wnogMO8JNhYOwAguRqkeG45MrEklUe2SuM,633
+vibesec/rules/auth_routes.py,sha256=qcu0yE6mnqkYt9CuPFyb79Zpnqcf3RlJqfeEBYp0HdI,2159
+vibesec/rules/cors.py,sha256=nwsdt-38L9ZancdIpn1GrVBn_HYQbbWYDDrLzjuZB_0,2293
+vibesec/rules/jwt.py,sha256=gJ_0GPIGHXYkIpsYBlEFTJ1yepR6SeTFkTWJcHE2duY,1663
+vibesec/rules/packages.py,sha256=tGrJtlOKH79qdBbxkZalg3mzX89LtKTtFF1uajF8ayo,2594
+vibesec/rules/rls.py,sha256=dSLefkEZPka2Xv-dpGDQbnffI42_XNgJoHlKn8cHxyU,1609
+vibesec/rules/roles.py,sha256=0cSTUaupIvQAacaSNsh1wl9tpoVEc47NwbP0fJKqkCQ,2058
+vibesec/rules/secrets.py,sha256=oMyQMjievSOek9UYEOovAEQAHfjur4YrdaRnkND3z6g,2286
+vibesec/rules/sourcemaps.py,sha256=-7UsB_EcC-CEavj_v3pmGwMoRjgDRROr0hpRB_M97RQ,2316
+vibesec/rules/webhooks.py,sha256=NXZy32ykHlX7R3i-Vs9eylBkQfXCZ9vmvjvd7dPGZhA,2501
+vibesec/rules/xss.py,sha256=N6w_736r0YsTRoMvFadQ6YX9rNj4Eymnd8MU1Mg6nEo,1869
+vibesec-0.1.0.dist-info/licenses/LICENSE,sha256=C85Ww3BMTD0gQt9J9N7MP_SbWl9EyLyp9yjc5eg0doQ,1068
+vibesec-0.1.0.dist-info/METADATA,sha256=yfg6sphnIwhCkQ7ku6r2MPtQetLeE0HUcRlxFLIGSPs,8135
+vibesec-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+vibesec-0.1.0.dist-info/entry_points.txt,sha256=MLazU6qKZaH2PHfOE1g_ybPvEKwDIBp51WGH4LMFmF0,45
+vibesec-0.1.0.dist-info/top_level.txt,sha256=8Ivz0xZCNXO4NwrGs5xoUaYa_sQXqkq94Xg9yyvEU0g,8
+vibesec-0.1.0.dist-info/RECORD,,

vibesec-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

vibesec-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+vibesec = vibesec.cli:main

vibesec-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ayush Khati
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vibesec-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+vibesec