v3.1.16 — 390 rules, 36 tools

Security scanner that
lives in your AI agent

MCP-native security for vibecoding. Scans code as you write it inside Claude Code, Cursor, Codex, Gemini CLI, and more. 390 rules, 36 tools, zero setup, 100% local.

$npx guardvibe init

GitHub npm Docs

Origin Story

Why we built GuardVibe

We're GokLab. We've been vibe coding for 9 months — shipping real products with Claude Code, Cursor, and other AI agents.

In that time, we noticed a pattern: every project we scanned had recurring security holes. Hardcoded keys. Broken auth flows. Missing input validation. SQL injection patterns the AI kept regenerating in slightly different forms. Generic SAST tools didn't catch them — they were built for traditional codebases, not for the way AI agents actually write code.

So we built GuardVibe. Stack-aware rules. MCP-native, so it works with any AI agent — not locked to one platform. 100% local, no accounts, no API keys.

Three weeks after we shipped it, Claude was compromised in a security incident. People started asking:

“How do I trust the code my AI just wrote?”

GuardVibe was already there.

12K+ organic installs in 30 days. Zero marketing. Zero tweets. Just developers searching npm for “vibe coding security” and finding it.

This is the security layer vibe coding needed. Built by a team that lives the problem every day.

— GokLab@goklab_com

Star on GitHub Get notified about Pro

npm-stats — 30d

$ npm stats guardvibe --period 30d

  downloads      12,147
  marketing      0
  tweets         0
  accounts req   0

→ 405 organic installs/day

Timeline

9 mostarted vibe coding daily
3 monoticed AI regenerates the same vulns
2 mofirst GuardVibe release shipped
3 wkClaude security incident — demand spiked
now12K+ installs, growing organically

390

Security Rules

MCP Tools

Rule Modules

10+

Languages

Control Frameworks

Config Required

How it works

Five steps to secure vibecoding

Install

30 seconds

Pick your platform. No accounts, no API keys, no config files.

$npx guardvibe init claude

Code with AI

you write code

Write code with your AI assistant as usual. Claude Code, Cursor, Gemini CLI, VS Code, Codex, or Windsurf — your choice.

// Your AI assistant writes code as usual

Auto-scan

background

GuardVibe automatically scans every file in the background. No manual triggers needed — your agent calls the tools for you.

// GuardVibe: scanning 47 files...

See results

instant feedback

Vulnerabilities surface immediately with severity, location, and auto-fix suggestions. Your AI agent can apply fixes inline.

GuardVibe: 3 issues found (1 CRITICAL). Fixing...

Ship secure

grade A

Pre-commit hooks, CI/CD integration, and compliance control mapping ensure nothing slips through. Ship with confidence.

Grade: A (97/100) — 0 vulnerabilities

Features

Everything you need for secure AI development

MCP-Native

Runs inside your AI agent via Model Context Protocol. No separate tool, no context switching.

Auto-Fix

AI-powered fix suggestions that your agent can apply immediately. One command to fix all auto-fixable issues.

Stack-Aware

390 rules across 25 modules covering Next.js, Supabase, Clerk, Stripe, Prisma, Drizzle, tRPC, Hono, GraphQL, and more.

Pre-Commit Hooks

Catch vulnerabilities before they enter your repo. Installs git hooks with a single command.

CI/CD Ready

SARIF export for GitHub Advanced Security. GitHub Actions workflow generation built-in.

Compliance Mapping

Map security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act controls. Helps identify code issues relevant to compliance — not a substitute for professional audits.

Plugin System

Community and premium rule packs. Extend GuardVibe with custom rules for your stack.

Secret Scanning

Detect hardcoded API keys, tokens, and credentials. Cross-file taint analysis tracks data flow across modules.

Security Dashboard

Track cumulative scan stats, vulnerability fix rate, and security grade trend over time. All data stored locally.

AI Host Security

guardvibe doctor audits your IDE/MCP config for CVE-2025-59536 and CVE-2026-21852 — hook injection and API key exfiltration risks across Claude, Cursor, VS Code, Gemini, and Windsurf.

Inline Suppress

Per-line // guardvibe-ignore VG001 silences accepted findings without disabling the rule project-wide. Audited and reviewable.

Taint Analysis

Cross-file dataflow tracking with sanitizer recognition (DOMPurify, escape functions, parameterized queries) to surface real injection sinks — not noise.

Ecosystem

Stack-aware security rules

Dedicated rules for every framework and service in your stack. Not generic linting — real security patterns.

Next.js

Supabase

Clerk

Stripe

Prisma

Drizzle

tRPC

Hono

GraphQL

Turso

Convex

Firebase

Uploadthing

React Native

Expo

Docker

Terraform

GitHub Actions

Cloudflare

Resend

Upstash

PostHog

AI SDK

Live Demo

See it in action

Real scan output from a Next.js + Supabase project. Findings categorized by severity with auto-fix suggestions.

guardvibe — ~/my-project

Integrations

Works with every AI agent

One command to set up. GuardVibe registers as an MCP server and your AI agent gets 36 security tools automatically.

Registers as MCP server in Claude Code settings

$npx guardvibe init claude

Comparison

Not your typical scanner

Feature	GuardVibe	SAST Tools	Dep Scanners
Scans during development
MCP-native (AI agent integration)
CLI + MCP dual interface
Stack-specific rules (390)
Auto-fix suggestions
Zero configuration
Secret scanning
Cross-file taint analysis
Auth coverage mapping
CI/CD integration
Compliance mapping (SOC2, GDPR, ...)
100% local execution
Pre-commit hooks
CVE version intelligence
AI host security audit
Deterministic results (hash)
Plugin ecosystem

Before / After

Catch real vulnerabilities

GuardVibe detects stack-specific security issues that generic linters miss.

Vulnerable

// api/users/route.ts
export async function GET(req: Request) {
  const { searchParams } = new URL(req.url);
  const id = searchParams.get("id");

  // SQL Injection — user input directly
  // interpolated in query string
  const user = await db.query(
    `SELECT * FROM users WHERE id = '${id}'`
  );

  // XSS — unsanitized data in response
  return new Response(
    `<h1>${user.name}</h1>`
  );
}

Fixed by GuardVibe

// api/users/route.ts
export async function GET(req: Request) {
  const { searchParams } = new URL(req.url);
  const id = searchParams.get("id");

  // Parameterized query prevents
  // SQL injection
  const user = await db.query(
    "SELECT * FROM users WHERE id = $1",
    [id]
  );

  // Return JSON instead of raw HTML
  return Response.json({
    name: user.name,
  });
}

Dogfooding

GuardVibe scans itself

We run GuardVibe on its own codebase. GuardVibe caught a HIGH severity ReDoS vulnerability in its own policy-check.ts — a regex injection risk that was missed during code review.

guardvibe — ~/guardvibe

$ guardvibe scan_directory src/
  Files scanned: 64
  Scan duration: 102ms
  Grade: B (89/100)

  [HIGH] ReDoS via User-Controlled RegExp (VG107)
    File: src/tools/policy-check.ts:47
    Fix: escape regex metacharacters before passing to RegExp constructor

The vulnerability was fixed in the same session. This is exactly the workflow GuardVibe enables: catch what humans miss, fix before it ships.

Open source. Always.

Apache 2.0 licensed. npm provenance verified. Only 2 dependencies.

Built by GokLab for the vibecoding community.

Star on GitHub View on npm Gemini CLI Extensions

Search for "guardvibe" on the Gemini CLI Extensions page to find us.

Security scanner thatlives in your AI agent