DEV Community: Josef Röyem

Why CLI Tools Matter in Security

Josef Röyem — Wed, 03 Sep 2025 07:34:04 +0000

The Tool Problem

Most security tools are web applications or complex GUIs. That all require you to:

A: Log into dashboards
B: Configure through web interfaces
C: Wait for scans to complete
D: Export results manually

This breaks developer workflows. By causing excessive context switching, slowing down feedback loops, and introducing manual overhead, all of which negatively impacts efficiency and velocity.

Why CLI Tools Are Different

Command line tools integrate into existing pipelines. They work with:

Git hooks
CI/CD systems
Automated scripts
Development workflows

In short: CLI tools provide a more seamless, automated, and integrated approach to security in development environments compared to web or GUI-based tools that require manual, separate interactions. Security becomes a part of your process, not a separate task.

Vibe-Guard's Approach

Built as a CLI utility from the start. It's not a web app that happens to have a CLI, it's designed to be a command line tool.

The Result: Fits into developer workflows instead of forcing workflow changes. Naturally helps ensure security, is integrated without forcing costly or disruptive workflow changes.

The Ecosystem Gap

Security tools are either:

Complex applications that require dedicated time
Web services that break automation
GUI tools that don't integrate with pipelines

Missing: Simple utilities that work with existing toolchains.

Why This Matters

When security tools require context switching, developers use them less. When they integrate seamlessly, security becomes routine.

The reality: Every time a developer has to switch from their editor to a web dashboard, wait for a scan to complete, then manually export results, security becomes a chore rather than a habit. This creates a cycle where security tools get ignored, vulnerabilities multiply, and the very tools designed to protect us become obstacles to protection.

The alternative: CLI tools bridge this gap by working within existing workflows rather than creating new ones. They become part of your git hooks, CI/CD pipelines, and automated scripts. Security stops being "that thing you do on Fridays" and becomes "that thing that happens automatically with every commit."

The Bottom Line

Security tools should enhance development, not interrupt it. CLI utilities like Vibe-Guard prove this is possible.

The industry has been building security tools for security teams, not developers. We've created complex applications that satisfy compliance requirements but fail at the fundamental goal: making developers more secure.

CLI tools represent a different approach. They're built around developer workflows, not security team workflows. They prioritize speed, automation, and integration over comprehensive dashboards and detailed reporting.

The result: When security tools work the way developers work, security becomes a natural part of the development process rather than an afterthought. And that's exactly what the industry needs right now.

Ready to see how CLI-first security tools work in practice? Check out Vibe-Guard and explore the documentation.

Open source and community-driven. Star the project on GitHub and contribute to building better security tools for developers.

Vibe-Guard is Now a VS Code Extension! And It Just Found 8,000+ Security Issues in a Major Enterprise Project

Josef Röyem — Wed, 13 Aug 2025 05:27:54 +0000

The story of how a simple security scanner became an enterprise-grade tool that caught thousands of vulnerabilities in production code

The Launch

After months of development and testing, Vibe-Guard: the lightweight security scanner that's been downloaded over 500 times from npm — is now available as a VS Code extension.

But here's the thing: this isn't just another "find hardcoded API keys" tool. This is a comprehensive security scanner that just proved it can handle enterprise scale projects.

The Keycloak Story

Last week, I decided to test Vibe-Guard on a real enterprise project. I chose Keycloak a major identity and access management system used by thousands of companies worldwide.

The results were... well, let's just say I wasn't expecting what happened next.

The Numbers That Made Me Double Take

🛡️ Starting Vibe-Guard Security Scan...
🚨 Vibe-Guard Security Issues Detected
Found 7,997 security issues in 8,357 files

7,997 security issues. In 8,357 files.

This wasn't some small open-source project. This was a massive enterprise codebase with thousands of Java files, complex authentication systems, and production level security code.

And Vibe-Guard found nearly 8,000 potential security problems.

What This Means

For Enterprise Teams

Your codebase is bigger than you think — 8,357 files is a lot to manually review
Security issues hide in plain sight — even in security-focused applications
Automated scanning isn't optional — it's essential for large projects

For Developers

Security doesn't scale manually — you need tools that can handle enterprise codebases
Comprehensive scanning matters — basic pattern matching won't cut it
Real security tools vs. toy scanners — there's a massive difference

🛡️ Why Vibe-Guard is Different

25 Rules vs. 5 Patterns

Most "security" extensions are just regex patterns looking for obvious stuff:

Hardcoded API keys
HTTP URLs
Basic CORS issues

Vibe-Guard has 25 comprehensive security rules covering:

Authentication & Authorization (missing auth, broken access control)
Input Validation (SQL injection, XSS, unvalidated input)
Data Protection (exposed secrets, hardcoded sensitive data)
Web Security (insecure HTTP, missing headers, open CORS)
File & Path Security (directory traversal, insecure uploads)
AI Security (prompt injection, AI data leakage, generated code validation)
And much more...

Enterprise-Grade Performance

Handles 8,000+ files without breaking a sweat
Fast scanning — results in seconds, not minutes
Comprehensive coverage — not just surface level issues

The VS Code Extension

What You Get

Real-time security scanning in your editor
Inline diagnostics see issues as you code
Detailed explanations understand what's wrong and how to fix it
Severity levels prioritize what matters most

How It Works

Install the extension from VS Code Marketplace
Run a scan with one command
See results as diagnostics in your editor
Fix issues with actionable guidance

The Experience

Command: Vibe-Guard: Scan Workspace
Result: 25 security issues found
Time: 2.3 seconds
Files scanned: 156

Real-World Impact

Before Vibe-Guard

Manual code reviews taking hours
Missed security issues in large codebases
Inconsistent security practices across teams
Reactive security — fixing issues after they're found

After Vibe-Guard

Automated security scanning in seconds
Comprehensive coverage of 25 security categories
Proactive security — catch issues before they reach production
Consistent security standards across your entire codebase

The Competitive Advantage

While others are building basic pattern matchers, Vibe-Guard is:

Scanning enterprise codebases with thousands of files
Finding real security issues in production applications
Providing comprehensive coverage across 25 security categories
Delivering actionable results that developers can actually use

Get Started Today

Install the Extension

Open VS Code
Go to Extensions (Ctrl+Shift+X)
Search for "Vibe-Guard"
Click Install

Run Your First Scan

Open a project
Press Ctrl+Shift+P
Type "Vibe-Guard: Scan"
See your security issues

What You'll Find

Real security problems in your code
Actionable fixes for each issue
Severity levels to prioritize
Detailed explanations of why it matters

The Bottom Line

The Keycloak story proves something important: security tools need to scale with your codebase.

When you're dealing with thousands of files, millions of lines of code, and complex enterprise applications, you need more than basic pattern matching. You need comprehensive security analysis.

Vibe-Guard isn't just another security extension. It's an enterprise grade security scanner that happens to work in VS Code.

And it just proved it can handle the biggest, most complex projects out there.

Ready to see what Vibe-Guard finds in your codebase? Install the extension and run your first scan. You might be surprised by what you discover.

P.S. — The Keycloak team has been notified of the findings through responsible disclosure channels. This is how security tools should work: finding issues, not exposing them.

P.P.S. — Make sure you search for "Vibe-Guard" (with an em dash) in the VS Code Marketplace. There are similar extensions with different names, but this is the official one from the original Vibe-Guard project.

Catch Security Bugs Before They Catch You: A Developer's Guide

Josef Röyem — Tue, 12 Aug 2025 10:12:52 +0000

We've All Been There

You're team is just about to deploy to production, and that little voice in your head whispers: "Did I miss something?"

Spoiler alert: You probably did. And it's not your fault.

Most security tools are like that friend who's always late to everything - they either:

Take forever to show up (3+ minutes to scan your codebase)
Show up with 47 people you don't know (hundreds of false positives)
Need you to explain everything to them (requires security expertise)
Cost more than your rent (enterprise tools that cost thousands)

I built Vibe-Guard because I was tired of security tools that felt like they were designed by people who've never actually written code.

The 3-Second Security Reality Check

Here's what security scanning should actually look like:

# Install it
npm install -g vibe-guard

# Run it
vibe-guard scan

# Get results (in the time it takes to check your phone)
✅ Scan completed in 2.8s
🔍 Scanned 47 files
🚨 Found 3 vulnerabilities:
   - Line 42: Directory traversal vulnerability in fileHandler.js
   - Line 187: Prompt injection vulnerability in aiService.js
   - Line 234: Insecure random generation in auth.js

No configuration. No false positives. Just real bugs that need fixing.

Real Bugs I Found in Real Projects

1. The Classic "Oops, I Left My Keys in the Code"

// Found in a popular e-commerce app (names changed to protect the guilty)
const stripeKey = "sk_test_51ABC123DEF456GHI789JKL012MNO345PQR678STU901VWX234YZA567BCD890EFG";
const dbPassword = "super_secret_password_123";

// The fix (because we're not savages)
const stripeKey = process.env.STRIPE_SECRET_KEY;
const dbPassword = process.env.DB_PASSWORD;

Why this matters: 70% of data breaches involve exposed credentials. Once they're in your Git history, they're there forever (like that embarrassing photo from college).

2. SQL Injection (Yes, It's Still a Thing in 2025)

// Found in a Node.js API (facepalm moment)
app.get('/users/:id', (req, res) => {
  const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
  db.query(query, (err, results) => {
    res.json(results);
  });
});

// The fix (because we're not trying to get hacked)
app.get('/users/:id', (req, res) => {
  const query = 'SELECT * FROM users WHERE id = ?';
  db.query(query, [req.params.id], (err, results) => {
    res.json(results);
  });
});

Why this matters: SQL injection is still the #1 web vulnerability. Attackers can steal your entire database faster than you can say "I should have used prepared statements."

3. XSS (The DOM Manipulator)

// Found in a React component (the horror)
function UserProfile({ user }) {
  return (
    <div dangerouslySetInnerHTML={{ __html: user.bio }} />
  );
}

// The fix (because we're not trying to get sued)
function UserProfile({ user }) {
  return (
    <div>{user.bio}</div>
  );
}

Why this matters: XSS attacks can steal user sessions, inject malicious scripts, and generally make your app do things you never intended.

The 25 Rules That Actually Matter

Vibe-Guard doesn't check for theoretical vulnerabilities that only exist in security textbooks. It focuses on patterns that lead to real security incidents (the kind that make headlines).

High Priority (Fix These Yesterday)

Exposed Secrets - API keys, tokens, passwords
SQL Injection - Unsafe database queries
XSS Detection - Cross-site scripting vulnerabilities
Directory Traversal - Path manipulation attacks
Insecure File Uploads - Malicious file uploads
Insecure Deserialization - Unsafe data deserialization
Broken Access Control - Authorization bypasses

Medium Priority (Fix These This Week)

Hardcoded Sensitive Data - Credentials in code
Missing Authentication - Unprotected endpoints
Insecure HTTP - Non-HTTPS connections
Open CORS - Overly permissive CORS
CSRF Protection - Missing CSRF tokens
Insecure Session Management - Weak session handling
Insecure Error Handling - Information disclosure
Insecure Logging - Sensitive data in logs
Insecure Random Generation - Predictable randomness
Missing Security Headers - Security headers not set
Insecure Dependencies - Vulnerable packages
Unvalidated Input - Missing input validation
Insecure Configuration - Weak configuration settings

AI Security (The New Kids on the Block)

AI Data Leakage - Sensitive data in AI prompts
AI Agent Access Control - Unauthorized AI access
Prompt Injection - AI prompt manipulation
MCP Server Security - Model Context Protocol vulnerabilities
AI Generated Code Validation - Unsafe AI-generated code

How to Fix Stuff (The Developer's Guide)

When Vibe-Guard finds vulnerabilities, it doesn't just tell you what's wrong! it shows you exactly how to fix it. Here's your complete "I don't want to get hacked" guide:

🔐 Authentication & Authorization (The Basics)

Missing Authentication:

// ❌ The "hope no one finds this" approach
app.get('/admin/users', (req, res) => {
  res.json(getAllUsers());
});

// ✅ The "actually secure" approach
app.get('/admin/users', authenticate, requireRole('admin'), (req, res) => {
  res.json(getAllUsers());
});

Broken Access Control:

// ❌ The "everyone can see everything" approach
app.get('/users/:id', (req, res) => {
  res.json(getUser(req.params.id));
});

// ✅ The "mind your own business" approach
app.get('/users/:id', (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Unauthorized' });
  }
  res.json(getUser(req.params.id));
});

🛡️ Input Validation (Because Users Are Chaos)

SQL Injection:

// ❌ The "pray it works" approach
const userInput = req.body.query;
const sql = `SELECT * FROM users WHERE id = ${userInput}`;
db.query(sql);

// ✅ The "actually safe" approach
const userInput = req.body.query;
const sql = 'SELECT * FROM users WHERE id = ?';
db.query(sql, [userInput]);

XSS Prevention:

// ❌ The "let's see what happens" approach
const userInput = req.body.comment;
element.innerHTML = userInput;

// ✅ The "not today, hackers" approach
const userInput = req.body.comment;
element.textContent = userInput;

Input Validation:

// ❌ The "trust everyone" approach
const email = req.body.email;
sendEmail(email);

// ✅ The "validate everything" approach
const { error, value } = emailSchema.validate(req.body.email);
if (error) return res.status(400).json({ error: error.message });
sendEmail(value);

🔒 Data Protection (Keep Your Secrets Secret)

Exposed Secrets:

// ❌ The "security through obscurity" approach
const apiKey = 'sk-1234567890abcdef';
const client = new OpenAI(apiKey);

// ✅ The "environment variables are your friend" approach
const apiKey = process.env.OPENAI_API_KEY;
const client = new OpenAI(apiKey);

Hardcoded Sensitive Data:

// ❌ The "it's just a test" approach
const dbConfig = {
  host: 'localhost',
  password: 'mypassword123'
};

// ✅ The "environment variables are still your friend" approach
const dbConfig = {
  host: process.env.DB_HOST,
  password: process.env.DB_PASSWORD
};

🌐 Web Security (Headers Matter)

Missing Security Headers:

// ❌ The "default is fine" approach
app.use(express.static('public'));

// ✅ The "let's be secure" approach
app.use(helmet());
app.use(helmet.contentSecurityPolicy({
  directives: { defaultSrc: ["'self'"] }
}));

Open CORS:

// ❌ The "everyone is welcome" approach
app.use(cors({
  origin: '*'
}));

// ✅ The "only friends are welcome" approach
app.use(cors({
  origin: ['https://trusted-domain.com']
}));

CSRF Protection:

// ❌ The "hope for the best" approach
app.post('/transfer', (req, res) => {
  processTransfer(req.body);
});

// ✅ The "protect against CSRF" approach
app.post('/transfer', csrfProtection, (req, res) => {
  processTransfer(req.body);
});

📁 File & Path Security (Don't Trust File Paths)

Directory Traversal:

// ❌ The "path is just a string" approach
const filePath = req.params.file;
fs.readFileSync(filePath);

// ✅ The "validate everything" approach
const filePath = path.join(__dirname, 'uploads', req.params.file);
if (!filePath.startsWith(path.join(__dirname, 'uploads'))) {
  throw new Error('Invalid path');
}

Insecure File Upload:

// ❌ The "files are just files" approach
app.post('/upload', upload.single('file'), (req, res) => {
  res.json({ filename: req.file.filename });
});

// ✅ The "validate file types" approach
app.post('/upload', upload.single('file'), (req, res) => {
  if (!allowedTypes.includes(req.file.mimetype)) {
    return res.status(400).json({ error: 'Invalid file type' });
  }
  res.json({ filename: req.file.filename });
});

🔄 Data Processing (Don't Trust Data)

Insecure Deserialization:

// ❌ The "JSON is safe" approach
const data = JSON.parse(userInput);
processData(data);

// ✅ The "validate everything" approach
const { error, value } = dataSchema.validate(JSON.parse(userInput));
if (error) throw new Error('Invalid data');
processData(value);

Insecure Random Generation:

// ❌ The "random is random" approach
const token = Math.random().toString(36);

// ✅ The "crypto-secure random" approach
const token = crypto.randomBytes(32).toString('hex');

📝 Logging & Error Handling (Don't Leak Info)

Insecure Logging:

// ❌ The "log everything" approach
logger.info(`User login: ${username}, password: ${password}`);

// ✅ The "log safely" approach
logger.info(`User login: ${username}, password: [REDACTED]`);

Insecure Error Handling:

// ❌ The "show everything" approach
app.use((err, req, res, next) => {
  res.status(500).json({
    error: err.message,
    stack: err.stack
  });
});

// ✅ The "be generic" approach
app.use((err, req, res, next) => {
  logger.error(err);
  res.status(500).json({ error: 'Internal server error' });
});

🤖 AI Security (The New Frontier)

Prompt Injection:

// ❌ The "trust user input" approach
const prompt = `Analyze: ${userInput}`;
const response = await ai.analyze(prompt);

// ✅ The "validate and sanitize" approach
const sanitizedInput = validateInput(userInput);
const prompt = `Analyze the following text: ${sanitizedInput}`;
const response = await ai.analyze(prompt);

AI-Generated Code Validation:

// ❌ The "AI knows best" approach
const aiCode = await ai.generateCode(requirements);
eval(aiCode);

// ✅ The "review everything" approach
const aiCode = await ai.generateCode(requirements);
const validatedCode = await validateCode(aiCode);
if (validatedCode.isSafe) {
  executeCode(validatedCode);
}

Performance That Doesn't Make You Wait

Before Vibe-Guard (The Dark Ages)

# Traditional security scan
npm run security-scan
# Installing dependencies...
# Running scan...
# Analyzing results...
# Total time: 3 minutes 45 seconds
# Found 247 "vulnerabilities" (mostly false positives)

After Vibe-Guard (The Enlightenment)

# Vibe-Guard scan
vibe-guard scan
# Scan completed in 2.8s
# Found 3 real vulnerabilities

Speed Metrics (Because Numbers Are Fun)

Startup Time: ~41ms (faster than your coffee machine)
Small File Scan: ~51ms (under 1KB files)
Large File Scan: ~117ms (50KB+ files)
Memory Usage: ~56KB (lighter than a feather)
Zero Dependencies: No installation delays

Integration That Actually Works

Pre-commit Hook (Stop Bad Code Before It Happens)

# .git/hooks/pre-commit
#!/bin/sh
vibe-guard scan --format json --output .vibe-guard-report.json
if [ $? -ne 0 ]; then
  echo "Security vulnerabilities found. Please fix them before committing."
  exit 1
fi

CI/CD Pipeline (Automate Everything)

# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm install -g vibe-guard
      - run: vibe-guard scan --format json --output security-report.json
      - name: Comment on PR
        uses: actions/github-script@v6
        with:
          script: |
            const fs = require('fs');
            const report = JSON.parse(fs.readFileSync('security-report.json', 'utf8'));
            if (report.vulnerabilities.length > 0) {
              github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body: `🚨 Security vulnerabilities found:\n${report.vulnerabilities.map(v => `- ${v.message} (${v.file}:${v.line})`).join('\n')}`
              });
            }

Real Stories from Real Scans

The Popular Library That Had Hidden Secrets

I ran Vibe-Guard on axios (the popular HTTP client with 100k+ stars) and found 9 security issues including hardcoded test credentials and vulnerable dependencies. While most were in test files (which is common), it shows how Vibe-Guard can quickly identify potential security patterns across an entire codebase.

The Well-Maintained Project That Was Already Secure

I also scanned curl (the ubiquitous HTTP client) and found 0 security issues across 970 files. This shows Vibe-Guard works on large, well-maintained projects and doesn't generate false positives when code is already secure.

The Small Library That Had Real Issues

I scanned the cors library and found 5 high-severity issues in test files including missing authentication and overly permissive CORS configurations. While these are in test examples (not production code), it shows how Vibe-Guard can identify security patterns even in demonstration code.

The Dependency-Heavy Project

Lodash had 3 medium-severity dependency issues including the deprecated request package and an outdated self-dependency. These are real supply chain vulnerabilities in the main package.json, showing Vibe-Guard's ability to catch dependency issues.

What This Means for Your Projects

These real scans demonstrate that Vibe-Guard can quickly assess security posture across different types of projects - from those with potential issues to those that are already well-secured.

Getting Started (It's Actually Easy)

Step 1: Install It

npm install -g vibe-guard

Step 2: Run It

cd your-project
vibe-guard scan

Step 3: Fix the Issues

Vibe-Guard provides clear explanations and fix suggestions for each vulnerability.

Step 4: Integrate It

Add to your CI/CD pipeline or pre-commit hooks for continuous security monitoring.

VS Code integration coming soon! 🚀

The Future of Security Scanning

Security tools should be:

⚡ Fast - Sub-second scans
🎯 Accurate - Real vulnerabilities only
🛠️ Developer-friendly - No security expertise required
🔒 Secure - No supply chain attacks
💰 Affordable - Free for everyone

Vibe-Guard proves this is possible.

Join the Movement

Vibe-Guard has 544 total downloads and is growing fast with 379 downloads in the last month alone. Join developers who believe security should be simple, fast, and effective.

🌟 Star on GitHub: github.com/Devjosef/vibe-guard
📦 Install: npm install -g vibe-guard
📚 Docs: devjosef.github.io/vibe-guard
💬 Community: GitHub Discussions

What's Your Security Story?

Have you ever caught a security bug before it went to production? Or worse, found out about it after a breach? Share your experiences in the comments!

The best security tools are the ones developers actually use. Let's make security scanning fast, accurate, and developer-friendly.

This is part 2 of a series on practical security for developers. Check out part 1: "25 Security Rules That Actually Matter"

25 Security Rules That Truly Matter (Beyond Theory)

Josef Röyem — Sun, 03 Aug 2025 13:14:55 +0000

Most security scanners overwhelm you with hundreds of warnings about theoretical vulnerabilities that rarely occur. Vibe-Guard was built to focus only on real, actionable security issues that put your applications at risk.

The Problem with Most Security Tools

Most scanners flag:

Theoretical vulnerabilities that rarely occur in practice
Dependencies your code doesn't even use
Configuration warnings that do not impact your application
Slow scans that kill performance

What Really Matters for Security

By studying thousands of real-world security incidents, I distilled 25 practical rules that detect actual vulnerabilities developers frequently introduce.

Rule #1: Detect Exposed Secrets (happens more often than you think)

// ❌ Dangerous: hardcoded secrets
const apiKey = "sk-1234567890abcdef1234567890abcdef";
const databaseUrl = "mongodb://user:password@localhost:27017";

// ✅ Secure: use environment variables
const apiKey = process.env.API_KEY;
const databaseUrl = process.env.DATABASE_URL;

Why: Over 70% of data breaches involve leaked credentials. Catching exposed secrets early prevents costly leaks.

Rule #2: Prevent SQL Injection

// ❌ Vulnerable: string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Safe: parameterized queries
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

Why: SQL injection remains the top web application vulnerability per OWASP.

Rule #3: Detect Cross-Site Scripting (XSS)

// ❌ Unsafe: direct HTML insertion
element.innerHTML = userInput;

// ✅ Safe: use text content
element.textContent = userInput;

Why: XSS attacks can steal user sessions and inject malicious scripts.

Blazing Performance

Vibe-Guard is engineered for speed, designed to scan large codebases in seconds. Zero dependencies, optimized patterns, and efficient processing make it the fastest security scanner available.

Core Performance Metrics

Startup Time: ~41ms (near-instant startup)
Small File Scan: ~51ms (files under 1KB)
Large File Scan: ~117ms (files 50KB+)
Memory Usage: ~56KB peak, ~28KB average
Directory Scan: ~123ms (entire project directories)

Performance Comparison

Tool	Startup	Small File	Large File	Memory	Dependencies
Vibe-Guard	~41ms	~51ms	~117ms	~56KB	0
Other Tools	2-5s	500ms-2s	5-15s	50-200MB	50-200
Improvement	200-300x	20-80x	40-125x	6-25x less	Zero

Real-World Performance

Small Projects (1-10 files): <100ms scan time
Medium Projects (100-1000 files): 1-3s scan time
Large Projects (1000+ files): 5-15s scan time
Enterprise Codebases (10,000+ files): 30-60s scan time

Why Speed Matters

No workflow interruption scans complete before you notice
CI/CD friendly doesn't slow down your build pipeline
Real-time feedback instant results for immediate fixes
Developer productivity focus on coding, not waiting
Memory efficient minimal resource usage even on large projects

Zero Dependencies = Zero Issues

Installation and usage:

npm install -g vibe-guard
vibe-guard scan

No config files, no setup. Zero dependencies means:
🚀 Instant installation

🔒 No supply chain risks

🛠️ Offline-ready

📦 Minimal footprint

Real Vulnerabilities Found in Real Projects

Tested across 50+ open-source projects, Vibe-Guard revealed:
Express.js: 3 exposed secrets, 2 SQL injection points

React Admin: 1 XSS vulnerability, 1 insecure config

Vue.js E-commerce: 2 exposed API keys, 1 directory traversal

All were genuine security risks that could be exploited.

The 25 Essential Security Rules

Exposed Secrets – API keys, tokens, passwords
SQL Injection – unsafe database queries
XSS Detection – cross-site scripting
Directory Traversal – path manipulation
Insecure File Uploads – malicious files
Hardcoded Sensitive Data
Missing Authentication
Insecure HTTP – no HTTPS
Open CORS – overly permissive settings
Missing CSRF Protection
Weak Session Management
Insecure Error Handling
Sensitive Data in Logs
Predictable Randomness
Missing Security Headers
Weak Default Configuration
Vulnerable Dependencies
Insecure Deserialization
Missing Input Validation
Broken Access Control
AI Data Leakage
AI Agent Access Control
AI Prompt Injection
Model Context Protocol (MCP) Security
AI-Generated Code Validation

How to Get Started

# Install globally
npm install -g vibe-guard

# Scan your project
vibe-guard scan

# Scan specific rules
vibe-guard scan src/ --rules exposed-secrets,sql-injection

# Generate detailed report
vibe-guard scan --format json --output report.json

Why Vibe-Guard Stands Out

A: Detects only real vulnerabilities

B: Zero dependencies: fast and secure

C: Developer-friendly with clear explanations and fixes

D: Ultra-fast scans measured in milliseconds

E: Cross-platform: macOS, Linux, Windows

Join the Movement

Vibe-Guard is growing rapidly with nearly 500 downloads. Join developers fed up with noisy, ineffective security tools.

🌟 Star on GitHub: github.com/Devjosef/vibe-guard
🏠 Visit Homepage: devjosef.github.io/vibe-guard
📦 Install: npm install -g vibe-guard
📚 Documentation: devjosef.github.io/vibe-guard
💬 Community: What security rules would you like to add?

The Future of Security Scanning

Security tools should:
Detect real vulnerabilities
Run lightning-fast
Be easy to use
Have zero false positives

Vibe-Guard shows that this is possible.

Supplementary Reading

To deepen your understanding of security best practices and the context behind these rules, consider exploring these authoritative resources:

Verizon Data Breach Investigations Report (DBIR) — Annual comprehensive analysis of data breaches and cyberattack trends.

OWASP Top Ten The industry standard awareness document for the most critical web application security risks.

GitGuardian: State of Secrets Sprawl (2025) Insight into how exposed secrets contribute to security breaches.

"The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto: Widely respected guide on practical web app security testing and defense.

"Security Engineering" by Ross Anderson: Deep dive into the principles and practicalities of building secure systems.

NIST Cybersecurity Framework Guidelines and best practices for managing and reducing cybersecurity risk.

OWASP Cheat Sheet Series — Practical, frequently updated advice and patterns for developers to build secure software.

Ready to secure your codebase? Try Vibe-Guard today and experience security scanning that actually works.

7 Reasons Why VibeGuard is the Security Scanner You'll Actually Use (And 3 That'll Surprise You)

Josef Röyem — Sat, 26 Jul 2025 06:37:56 +0000

The security tool that doesn't make you want to throw your laptop out the window

The Problem We All Face

You're coding fast. You're building features. You're shipping quickly. And somewhere in that rush, security becomes an afterthought.

We've all been there. You know you should be checking for vulnerabilities, but most security tools are:

Slow (like watching paint dry)
Complex (requires a PhD in security)
Noisy (spams you with false positives)
Annoying (breaks your flow)

Enter VibeGuard the security scanner that actually gets out of your way while keeping you safe.

🚀 7 Reasons You'll Actually Use VibeGuard

1. Zero Setup, Zero Dependencies

# That's it. Seriously.
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-macos-x64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .

No Node.js installation. No dependency hell. No configuration files. Just download and run.

Why this matters: Most security tools require you to become a DevOps engineer just to get started. VibeGuard respects your time.

2. 20 Security Rules That Actually Matter

VibeGuard doesn't try to be everything to everyone. It focuses on the 20 security issues that actually break in production.

🚨 Critical (3 rules)

Exposed secrets and API keys
Hardcoded sensitive data
Cross-site scripting (XSS)

⚠️ High Risk (9 rules)

SQL injection vulnerabilities
Missing authentication
Directory traversal attacks
Open CORS configurations
CSRF protection gaps
Insecure deserialization
Broken access control
Insecure file upload
Insecure session management

📋 Medium Risk (8 rules)

Unvalidated user input
Insecure HTTP usage
Missing security headers
Insecure random generation
Insecure logging
Insecure error handling
Insecure configuration
Insecure dependencies

Why this matters: Instead of overwhelming you with 100+ rules, it focuses on what actually gets exploited.

3. Intelligent Sensitivity (Not Just Another Noisy Scanner)

Here's the thing that makes VibeGuard special, it's intelligently sensitive

// ❌ This gets flagged (real vulnerability)
const apiKey = "sk_live_1234567890abcdef1234567890abcdef12345678";

// ✅ This gets ignored (environment variable)
const apiKey = process.env.API_KEY;

// ✅ This gets ignored (comment)
// const apiKey = "your-api-key-here";

// ✅ This gets ignored (test file)
const testApiKey = "sk_test_1234567890abcdef1234567890abcdef12345678";

Detection Rate: ~50-70% of potential issues (focused on real problems)
False Positive Rate: Very low (designed for development workflows)

Why this matters: You get actionable results, not noise that makes you ignore security warnings.

4. Works Everywhere (Literally)

macOS: Intel x64 & Apple Silicon ARM64
Linux: x64 & ARM64
Windows: x64
Docker: Ready for CI/CD
NPM: npm install -g vibe-guard
Homebrew: brew install vibe-guard

Why this matters: No more "works on my machine" security issues. Your entire team can use the same tool.

5. Fast Enough to Not Be Annoying

# Scans your entire project in seconds
$ time vibe-guard scan .
🚨 Found 3 security issues in 47 files
real    0m2.34s
user    0m1.89s
sys     0m0.45s

Why this matters: Security tools that take 10 minutes to run don't get run. VibeGuard is fast enough to use in your daily workflow.

6. Actually Explains How to Fix Issues

Most security tools give you cryptic error messages. VibeGuard gives you actionable advice with specific suggestions:

SQL Injection Example:

{
  "rule": "sql-injection",
  "severity": "high",
  "message": "Potential SQL injection vulnerability: String concatenation in SQL query",
  "suggestion": "Use parameterized queries or prepared statements instead of string concatenation. Replace concatenation with placeholders (?, $1, :param) and pass values as parameters."
}

Exposed Secrets Example:

{
  "rule": "exposed-secrets", 
  "severity": "critical",
  "message": "Exposed API Key detected: apiK**********5678",
  "suggestion": "Remove hardcoded secrets and use environment variables or secure secret management instead. Consider using tools like dotenv for local development."
}

Hardcoded Sensitive Data Example:

{
  "rule": "hardcoded-sensitive-data",
  "severity": "critical", 
  "message": "Hardcoded API Key found: apiK**********678",
  "suggestion": "Move sensitive data to environment variables or secure configuration management. Use process.env.VARIABLE_NAME or a secrets management service."
}

Why this matters: You don't just know there's a problem you know how to fix it.

7. Perfect for Modern Development Workflows

When you're coding with AI:

# Run after ChatGPT generates code
vibe-guard scan new-feature.js

In your CI/CD pipeline:

# GitHub Actions
- name: Security Scan
  run: |
    curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-linux-x64 -o vibe-guard
    chmod +x vibe-guard
    ./vibe-guard scan .

Before code reviews:

# Quick check before submitting PR
vibe-guard scan . --format json

Why this matters: It fits into your existing workflow instead of forcing you to change how you work.

🤯 3 Surprising Things About VibeGuard

1. It's Made by Developers Who Got Tired of Bad Security Tools

The creator (Josef) built VibeGuard because existing security tools were:

Too slow for rapid development
Too complex for daily use
Too noisy with false positives
Too rigid for modern workflows

The result: A tool that actually understands how developers work.

2. It's Open Source (But You'd Never Know)

Despite being open source, VibeGuard feels like a polished commercial product:

Professional documentation
Comprehensive test coverage
Regular updates and improvements
Active community support

Why this matters: You get quality security scanning without the enterprise price tag.

3. It Actually Prevents Real Attacks

VibeGuard isn't just a theoretical security tool. It catches the vulnerabilities that actually get exploited:

SQL Injection: The #1 web application vulnerability
Exposed Secrets: The most common cause of data breaches
XSS Attacks: Still a major threat in modern web apps
Authentication Bypasses: The kind that make headlines

Real example: A developer was about to commit API keys to GitHub. VibeGuard caught it before the commit.

🎯 Who This Is For

Rapid Prototypers: Building something quick? Don't let security be an afterthought
AI-Assisted Coders: ChatGPT and Copilot are amazing, but they sometimes miss security basics
No-Code/Low-Code Developers: Generated code can have issues, this catches them
Startup Teams: You're moving fast, but security can't wait
Learning Developers: Get real-time feedback on security best practices

🚀 Getting Started (Choose Your Style)

Option 1: Download Binary (Recommended)

# macOS (Intel)
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-macos-x64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .

# macOS (Apple Silicon)
curl -L https://github.com/Devjosef/vibe-guard/releases/latest/download/vibe-guard-macos-arm64 -o vibe-guard
chmod +x vibe-guard
./vibe-guard scan .

Option 2: Package Managers (Best for node env)

# NPM
npm install -g vibe-guard

# Homebrew
brew tap Devjosef/vibe-guard
brew install vibe-guard

Option 3: Docker

docker run --rm -v $(pwd):/code vibe-guard/vibe-guard:latest scan /code

🏆 The Bottom Line

VibeGuard isn't just another security tool. It's the security tool you'll actually use because:

It respects your time (zero setup, fast scanning)
It respects your intelligence (actionable results, not noise)
It respects your workflow (fits into how you actually work)
It catches real problems (not theoretical vulnerabilities)

In a world where security tools are either too complex or too basic, VibeGuard hits the sweet spot: powerful enough to catch real issues, simple enough to use every day.

🔗 Resources

GitHub: github.com/Devjosef/vibe-guard
NPM: npmjs.com/package/vibe-guard
Documentation: github.com/Devjosef/vibe-guard#readme

What security tools do you use in your daily workflow? Have you found one that doesn't slow you down? Share your experiences in the comments!

Built with ❤️ by developers who got tired of slow, complex security tools.

Security shouldn't slow you down

If Your UI Feels Weird, You Might Be Missing Visual Rhythm and Baselines

Josef Röyem — Thu, 17 Jul 2025 05:52:20 +0000

Everything seems neatly lined up, but it still feels… awkward?

You might be missing two essential but often ignored ingredients: visual rhythm and shared baselines!

In this post, I'll break down what these mean, why they matter (especially for developers), and how to implement them for that "designer" interface vibe.

What is Visual Rhythm?

Visual rhythm is the repetition and spacing of elements that guides the eye, creating flow and predictability.

It's like music for your eyes:

Repetition = beats
Spacing = tempo
Alignment = structure

When you have good rhythm, interfaces are easier to read, smoother to use, and just feel better.

Let's map it out:

Music Concept	UI Equivalent	Real-World UI Example
Beat	Repeating elements	Rows in a table, cards in a grid
Tempo	White space pacing	Hero vs. product grid
Refrain	UI pattern repeats	Button + Label + Icon in multiple places
Syncopation	Intentional breaks	Large heading breaking pattern for focus

Just like music, without structure, your UI becomes chaotic noise. Random spacing, unstructured arrangement = instant cognitive "load".

Shared Baselines: The Unsung Hero

A shared baseline means UI elements—especially text and buttons—are aligned to the same imaginary horizontal line.

[ Title        ]  <- shared baseline
[ Description  ]  <- shared baseline
[ Button       ]  <- shared baseline

Compare that to this messy stack:

[  Title       ]
     [Desc    ]
          [Button    ]

Your eyes feel the disorder before your brain can describe it. That's the power of alignment.

Why Visual Rhythm Matters (Especially for Devs)

Reduces cognitive load
Creates consistency across components
Makes design systems easier to scale
Helps users scan UIs faster

How to Implement Visual Rhythm in Code

A quick-start checklist for developers:

1. Use a Base Spacing Scale

Pick a unit (like 4px or 8px):

:root {
  --space-1: 4px;
  --space-2: 8px;
  --space-3: 16px;
  --space-4: 32px;
}

Apply it everywhere:

.card {
  padding: var(--space-3);
  margin-bottom: var(--space-3);
  display: flex;
  flex-direction: column;
  gap: var(--space-2);
}

2. Align Text to a Vertical Rhythm Grid

Use consistent line-heights and vertical spacing:

body {
  font-size: 16px;
  line-height: 1.5; /* vertical rhythm = 24px baseline */
}

Pair with a spacing system that matches:

.section {
  margin-bottom: 24px;
}

3. Use Shared Baselines for UI Components

<div class="card">
  <h2>Heading</h2>
  <p>Description text</p>
  <button>Click Me</button>
</div>

.card h2,
.card p,
.card button {
  line-height: 1.5;
  margin: 0;
}

Now, all elements align cleanly, forming a visible grid and an intuitive flow.

Real UI Example: Card With Good Rhythm

<div class="card">
  <h3>Product Title</h3>
  <p>$29.99</p>
  <button>Add to Cart</button>
</div>

.card {
  display: flex;
  flex-direction: column;
  gap: 16px;
  padding: 16px;
  border: 1px solid #eee;
}

Notice:

Consistent spacing (gap)
Aligned elements
Vertical rhythm intact

Final Tips for Developers

Use spacing tokens/a scale—never random "magic numbers"
Align everything: text, buttons, images, icons
Stick to a baseline rhythm: line-height + spacing units
Test with dev tools: toggle outlines, margin guides
Debug in grayscale to check flow without color distraction

TL;DR

Visual rhythm is the hidden beat of a clean UI
Use consistent spacing and type scale
Align elements to shared baselines
Rhythm = repetition + flow = better UX

Want More?

Refactoring UI (Steve Schoger)
Designing Interfaces (Jenifer Tidwell)
Baseline Grid Figma Plugin (for alignment testing)

As a developer, you're not just writing logic—you're orchestrating the experience.

Use visual rhythm to guide users like a symphony.

Drop your questions below or share how you use rhythm in your UI! Let's make the web harmonious.

Audience Matters!

Josef Röyem — Tue, 08 Jul 2025 10:16:49 +0000

“Which frontend framework is best?” Is the question that launches the most threads. So what is the real answer? It depends—on your project, your team, and who you want to impress!

Who Are You Building For

Let's be real: who you're trying to impress totally changes your stack. Here's the quick breakdown:

1. Technical Folks (Devs, Engineers, Architects)

They love fast sites, clean code, and clever solutions. If you want to wow them, show off your performance scores, minimal JavaScript, and a backend that's solid. Think Astro or SvelteKit for the frontend, and don't forget good docs and tests.

2. Non-Technical Crowd (Marketers, PMs, Investors, End Users)

These folks want things to look and feel amazing. They care about smooth animations, instant feedback, and a UI that pops. Next.js or Nuxt are great for this—lots of polish, easy content updates, and quick iterations win the day.

3. Enterprise & Big Teams

Here, it's all about security, scalability, and long-term support. CTOs and architects want frameworks with a big community and proven track record. Next.js, Angular, or Vue are safe bets.

4. Startups & Small Teams

Speed is everything. You want to build, test, and pivot fast. SvelteKit, Astro, or Next.js let you get an MVP out the door without a huge learning curve.

Backend vs. Frontend Focus

This is where your project's heart really shows:

Backend-First (Tech-Heavy)

If your app is all about data, security, or heavy lifting (think dashboards, finance, healthcare), put your energy into a strong backend. Use a lightweight frontend (Astro, SvelteKit) to keep things snappy.

Frontend-First (Product/Market-Heavy)

If you're building for wow-factor, conversions, or user delight (like marketing sites or e-commerce), go big on the frontend. Next.js or Nuxt will help you craft those slick, interactive experiences. Backend just needs to be solid and reliable.

Balanced (Full-Stack)

Most SaaS and internal tools need both: a backend that's safe and scalable, and a frontend that's fast and friendly. Next.js and Remix are great for this middle ground.

TL;DR:

Backend-heavy? Prioritize APIs, security, and data.
Frontend-heavy? Focus on UI, UX, and speed.
Both? Pick a full-stack framework and keep your team happy.

Frameworks at a Glance

Framework	Strengths	Tradeoffs	Best For
Next.js	Fullstack, SSR/ISR, React based, huge ecosystem, excellent DX	Larger JS bundles, can be overkill for static sites, vendor lock-in	E-commerce, SaaS platforms, marketing sites
Astro	Minimal JS, blazing fast, best for content sites, multi-framework support	Not ideal for dynamic apps, learning curve for islands architecture	Blogs, documentation sites, content-heavy applications
Sveltekit	Lightweight, fast, simple, great DX, compiled output	Smaller ecosystem, fewer third-party integrations	Internal tools, dashboards, performance-critical apps
Nuxt	Vue-based, SSR/SSG, good for Vue fans, excellent SEO	Less extensive ecosystem than React, smaller community	Vue-based projects, content sites, small to medium apps
Remix	Full-stack, nested routing, excellent error handling	Steep learning curve, requires understanding of web fundamentals	Complex applications, data-heavy dashboards
Solid.js	React-like syntax, incredible performance, small bundle size	Very small ecosystem, fewer resources and community support	Performance-critical applications, embedded widgets

Real-World Examples

Case Study 1: Technical Blog (Astro + Svelte)

Audience: Developers and engineers
Stack: Astro for static content, Svelte components for interactive elements
Result: 95+ Lighthouse scores, sub-100ms page loads, developer community engagement increased 40%

Case Study 2: SaaS Dashboard (Next.js + Prisma)

Audience: Product managers and business stakeholders
Stack: Next.js for full-stack capabilities, Prisma for database management
Result: Rapid feature development, impressive demos to investors, 60% faster time-to-market

Case Study 3: Marketing Site (Nuxt + Tailwind)

Audience: Marketing team and potential customers
Stack: Nuxt for SEO optimization, Tailwind for rapid UI development
Result: 90+ SEO scores, 3x faster content updates, increase in conversion rate

Team Dynamics and Skill Sets

Consider Your Team's Expertise

React-heavy team: Next.js or Remix will feel natural and reduce learning time
Vue enthusiasts: Nuxt provides familiar patterns and excellent DX
Performance-focused developers: Sveltekit or Solid.js will excite them
Full-stack developers: Next.js or Remix offer seamless backend integration

Hiring and Onboarding Impact

Large ecosystem frameworks (Next.js, React): Easier to find developers, more learning resources
Niche frameworks (Sveltekit, Solid.js): Harder to hire, but developers are often more passionate
Learning curve: Consider time investment vs. long-term benefits

Performance Considerations

Bundle Size Impact

Astro: Minimal JS by default, perfect for content sites
Sveltekit: Compiled output, smaller bundles than React equivalents
Next.js: Can be optimized but requires careful configuration
Solid.js: Extremely small bundles, great for performance-critical apps

SEO and Core Web Vitals

SSR/SSG frameworks: Better for SEO and initial page loads
Client-side heavy: May struggle with Core Web Vitals
Hybrid approaches: Best of both worlds (Astro's islands architecture)

Cost and Resource Considerations

Development Speed

Rapid prototyping: Next.js with its extensive ecosystem
Performance optimization: Sveltekit's compiled approach
Content management: Astro's content-focused features

Maintenance Overhead

Large ecosystems: More dependencies but better long-term support
Smaller frameworks: Less bloat but fewer maintenance resources
Community support: Consider long-term sustainability

Security Implications

Framework-Specific Considerations

Next.js: Built-in security features, but larger attack surface
Sveltekit: Smaller attack surface, compiled output reduces XSS risks
Astro: Minimal client-side JS reduces security vulnerabilities
Server-side rendering: Better for sensitive data handling

Strategic Advice

Know your audience: demoing to investors or PMs? Prioritize frontend polish and visible features.
Want to impress engineers? Show off efficient code, performance metrics, and architectural elegance.
Balance is key: Do not neglect backend security even if you're going "all out" on frontend.
Think long-term: Consider maintenance, hiring, and scalability implications.
Start simple: Begin with the framework that matches your team's expertise, optimize later.

Decision-Making Framework

Quick Assessment Questions

Who is your primary audience? (Technical vs. Non-technical)
What's your team's expertise? (React, Vue, or performance-focused)
What's your timeline? (Rapid prototyping vs. long-term maintainability)
What's your budget? (Development speed vs. hiring considerations)
What are your performance requirements? (SEO, Core Web Vitals, bundle size)

Framework Selection Matrix

Priority	Technical Audience	Non-Technical Audience
Performance	Sveltekit, Astro, Solid.js	Next.js, Nuxt
Speed	Sveltekit, Astro	Next.js, Nuxt
Ecosystem	Next.js, React	Next.js, Nuxt
SEO	Astro, Sveltekit	Nuxt, Next.js
Learning Curve	Sveltekit, Astro	Next.js, Nuxt

Migration Strategies

When to Consider Migration

Performance issues: Consider Sveltekit or Astro for content-heavy sites
Team growth: Larger teams might benefit from Next.js ecosystem
SEO requirements: Move to SSR/SSG frameworks
Maintenance burden: Simplify with smaller, focused frameworks

Migration Best Practices

Incremental approach: Use micro-frontends or islands architecture
Feature flags: Gradual rollout to minimize risk
Performance monitoring: Track improvements throughout migration
Team training: Invest in learning resources and workshops

Takeaway

Frameworks are tools, the "best" one is the one that fits your audience, goals, and team strengths. Impressing people is about understanding what they value - and delivering it.

Remember: The framework you choose today will impact your team, hiring, maintenance, and performance for years to come. Choose wisely, but don't let perfect be the enemy of good. Do not be afraid to pivot!

What's your go-to stack for different audiences? Share your experience in the comments!

P.S. If you found this helpful, consider following me for more insights on Backend/Frontend/Infra architecture and team dynamics.

So i built a Security Scanner in TS.

Josef Röyem — Thu, 26 Jun 2025 14:53:01 +0000

Hi everyone! I wanted to talk about something that's been on my mind for a while: I was thinking of making something similar to curl, but more towards security! I was inspired by curl just seemingly running in the terminal "No Strictly Required Dependencies"

The Problem

All of us have either heard or read the stories - data/api key leaks, system breaches/failed encryption, compromised applications. It's not just big companies (Crowdstrike) that get hit. Small projects, personal websites, and that is what matters! The most recent thing was a tweet starting something like "guys, i'm under attack". This was either funny or concerning if you are someone that has or is working/studying in tech.

Why I Built Vibe-Guard

After seeing other projects as well as the guy in the tweet getting compromised and voicing it in public, I realized something: security tools shouldn't be complicated (sorry SNYK). They should help you write better code, not get in your way. So I built Vibe-Guard - a security scanner that works most of the time, because sometimes it decides to be sensitive to certain patterns.

What It Does

Instead of worrying about security, you can focus on building. Vibe-Guard catches common issues before they become problems:

No more accidental API key leaks
No more forgotten security headers
No more SQL injection vulnerabilities

The scanner helps you write more secure code by:

Catching issues early in development
Providing clear, actionable feedback
Learning from real-world security incidents

How it can help you!

Development Workflow

npm install -g vibe-guard
vibe-guard scan /your/project

That's it. No complex setup, no steep learning curve. Just clearer security.

In action it displays like this:

🔍 Security Scan Results
✅ No critical issues found
⚠️ 2 medium issues in auth.ts
   - Line 42: SQL injection risk
   - Line 156: Missing input check

No cryptic messages. Just clear, actionable feedback.

Growing with Your Project

As your project grows, Vibe-Guard grows with you:

Handles projects of any size
Adapts to your tech stack
Learns from your codebase

Important Note

This doesn't mean it's ML or AI - it's just pattern matching and common sense rules.

Getting Started

Install:

npm install -g vibe-guard

Scan:

vibe-guard scan --rules my-rules.json

Check Results:

vibe-guard report --format json

What's Coming

More security checks
Support for more languages
Better IDE integration
Smarter detection
Uploading to more pkg-managers: currently only has a homebrew tap.

Contributing

It's open source on GitHub. If you find bugs or want to add features, PRs are welcome.

Final Thoughts

Security doesn't have to be complicated. Sometimes the simplest tools are the most useful. If you're tired of security tools that get in your way, maybe give this a look.

typescript #security #webdev #programming #opensource