DEV Community

wd400
wd400

Posted on

I code-reviewed 3 "vibe-coded" PRs last week. Every one had hardcoded API keys. So I built a grader.

#showdev #opensource #javascript #python

"Vibe coding" is everywhere. You prompt an AI, it writes your whole project, you ship it.

Last week I reviewed 3 PRs from vibe-coded projects. All three had hardcoded API keys in the source. Two had no tests. One had a raw eval() on user input.

So I built vibescore.

What it does 

pip install vibescore
vibescore .
Enter fullscreen mode Exit fullscreen mode

One command. Letter grade from A+ to F. Four dimensions:

Category What it checks
Security Hardcoded secrets, SQL injection, eval/exec, insecure defaults
Code Quality Function length, complexity, nesting depth, type hint coverage
Dependencies Pinning, lock files, deprecated packages, known CVEs
Testing Test count vs LOC ratio, coverage setup, CI configuration

Example output 

vibescore v0.4.0 — Project Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Security     B+  (no hardcoded secrets, 2 eval() calls found)
  Code Quality C   (4 functions >50 lines, low type hint coverage)
  Dependencies A-  (all pinned, lock file present)
  Testing      D   (3 tests for 2,400 LOC)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  OVERALL      C+
Enter fullscreen mode Exit fullscreen mode

Supported languages

  • Python (AST-based analysis)
  • JavaScript/TypeScript (regex-based)
  • Rust (VC221-VC227: unwrap density, unsafe blocks, doc comments, clone detection)
  • Go (VC231-VC237: unchecked errors, goroutine leaks, naked returns, panic in library code)

Extra features

  • vibescore --init-ci — generates a GitHub Actions workflow
  • vibescore --watch — re-scans on file changes in real-time
  • vibescore --dashboard — historical grade tracking (Streamlit web UI)
  • vibescore --save-history — save scan results for trend analysis
  • Zero dependencies. 201 tests.

Comparison

  • SonarQube: requires a Java server, complex setup, enterprise pricing
  • Codacy/CodeClimate: SaaS, requires account, sends code to servers
  • pylint/ruff: lint rules only, no security/testing/dependency analysis, no single grade
  • vibescore: one pip install, one command, local-only, zero deps, covers 4 dimensions with a letter grade

GitHub: github.com/stef41/vibescore
PyPI: pypi.org/project/vibescore

Feedback welcome — especially ideas for new check categories or language support.

Top comments (0)