Documentation

VibeGuard Docs

Everything you need to scan, triage, and fix security issues. Time to first successful scan: under 5 minutes.

pip install vibeguard-cli

Quick Start

1. Install

pip install vibeguard-cli

2. Run your first scan

vibeguard scan .

3. See the report

vibeguard report --format html

Documentation sections

Pick a topic or scroll down for the full reference.

Getting Started

Install VibeGuard and run your first scan

Installation
First Scan
Understanding Reports

Commands

Reference for all CLI commands

doctor
init
scan
fix
patch
apply
baseline
keys
auth

CI Integration

Set up VibeGuard in your pipeline

Concepts

Understand how VibeGuard works

Findings
Baselines
SARIF

Installation

Requirements

• Python 3.9 or higher
• pip (Python package manager)
• Git (for baseline features)

Install with pip

pip install vibeguard-cli

Or download installer (no Python needed)

Windows Installer (.exe)macOS Installer (.pkg)

Portable: Windows (.zip)Portable: macOS (.tar.gz)Portable: Linux (.tar.gz)

Installers add vibeguard to PATH and create shortcuts. Auto-updated with each release.

Verify installation

vibeguard --version

Check scanner availability

vibeguard doctor

This checks which scanners are available on your system and suggests how to install any missing ones.

macOS

Works out of the box. Some scanners may need Homebrew packages.

Linux

Works on most distributions. Docker recommended for container scanning.

Windows

Requires Python from python.org. WSL recommended for best experience.

vibeguard doctor

What it does

Checks which security scanners are available on your system and tells you how to install any missing ones. Think of it as a health check for your VibeGuard setup.

When to use it

• Right after installing VibeGuard
• When a scan reports missing scanners
• After upgrading or changing your environment

Examples

vibeguard doctor

List all scanners and their status (installed / missing)

vibeguard doctor --fix

Auto-install missing tools where possible

vibeguard init

What it does

Creates a .vibeguard config file in your project root. This file controls which scanners run, severity thresholds, and ignore rules so every team member gets the same results.

When to use it

• When starting VibeGuard on a new project
• When you want to customize scanner settings
• When setting up CI with a specific preset

Examples

vibeguard init

Create a default config interactively

vibeguard init --preset strict

Use strict preset (all scanners, fail on medium+)

vibeguard init --preset ci

Use CI preset (optimized for pipeline speed)

vibeguard scan

What it does

Runs all applicable security scanners against your codebase and outputs a unified report with scores and findings.

When to use it

• Before committing new code
• In CI pipelines to gate merges
• After pulling in AI-generated code

Examples

vibeguard scan .

Scan current directory

vibeguard scan . --format sarif --output results.sarif

Output SARIF for GitHub Code Scanning

vibeguard scan . --baseline

Compare against existing baseline (only show new findings)

vibeguard scan . --scanners secrets,deps

Run only specific scanners

Output formats

Terminal (default)

JSON

HTML

SARIF

vibeguard fix

What it does

Generates copy-paste prompts you can use with any LLM (ChatGPT, Claude, etc.) to fix your findings manually. For each issue, VibeGuard writes a prompt that includes the relevant code context and a clear description of the vulnerability.

When to use it

• On the free tier (no API key needed)
• When you want full control over the fix
• When you prefer using your own LLM chat interface

Examples

vibeguard fix

Generate fix prompts for all findings

vibeguard fix --finding-id VG-001

Generate a fix prompt for a specific finding

Tip: This is the free alternative to patch. Instead of generating diffs automatically, it gives you prompts to paste into your LLM of choice. You review the output, you apply the change. No API key required.

vibeguard patch & apply

vibeguard patch

Generates a unified diff that fixes the findings from your last scan. Requires a Pro license and an LLM API key.

vibeguard patchvibeguard patch --model gpt-4ovibeguard patch --finding-id VG-001

vibeguard apply

Applies the generated patch to your codebase. Includes safety checks: verifies git status, creates backup, runs validation.

vibeguard applyvibeguard apply --dry-run

Note: Patch and apply are Pro features. You bring your own LLM key (OpenAI, Anthropic, etc.) and pay the provider directly. We don't mark up API costs.

vibeguard baseline

What it does

Manages your baseline - a snapshot of known findings that you can track separately from new issues. Essential for adopting VibeGuard on existing codebases.

Commands

vibeguard baseline create

Snapshot current findings as the baseline

vibeguard baseline show

Show what's in the current baseline

vibeguard baseline update

Update baseline after fixing issues

vibeguard baseline clear

Remove the baseline file

vibeguard keys

What it does

Manages the LLM API keys used for patch generation. Keys are stored locally on your machine and never sent to VibeGuard servers. You bring your own key (BYOK) and pay the LLM provider directly.

When to use it

• Before running vibeguard patch for the first time
• When switching between LLM providers
• When rotating or removing API keys

Examples

vibeguard keys set openai

Store your OpenAI API key (prompts for key securely)

vibeguard keys set anthropic

Store your Anthropic API key

vibeguard keys list

See which providers have keys configured

vibeguard keys remove openai

Remove a stored key

BYOK: You bring your own API key and pay the LLM provider directly. VibeGuard never sees your key or marks up API costs.

vibeguard auth

What it does

Manages your Pro license authentication. Activate your license, check its status, or log out. Required for the patch and apply commands.

When to use it

• After purchasing a Pro license
• To check your current license status
• When switching accounts or machines

Examples

vibeguard auth login

Activate your Pro license (opens browser for verification)

vibeguard auth status

Check if you're logged in and your license tier

vibeguard auth logout

Log out and remove stored credentials

Note: A Pro license is required for the patch and apply commands. Scanning, fix prompts, baselines, and CI integration are all free.

Concepts

What is a "finding"?

A finding is a potential security issue detected by one of VibeGuard's scanners. It could be a hardcoded secret, a vulnerable dependency, a risky code pattern, or a misconfiguration.

Each finding includes:

• Severity: Critical, High, Medium, Low
• Location: File path and line number
• Description: What was found
• Source: Which scanner detected it
• Recommendation: How to fix it

What is a "baseline"?

A baseline is a snapshot of findings at a point in time. When you scan with --baseline, VibeGuard only reports findings not in the baseline - so you see new issues, not legacy ones.

Use baselines when adopting VibeGuard on an existing codebase. You can track legacy issues separately while ensuring new code doesn't introduce more problems.

What is "SARIF"?

SARIF (Static Analysis Results Interchange Format) is a standard JSON format for static analysis output. It's supported by GitHub, Azure DevOps, and other platforms.

When you output SARIF with --format sarif, you can upload the results to GitHub Code Scanning. Findings appear in the Security tab and as inline comments on PRs.

Learn more about GitHub SARIF support →

Troubleshooting

vibeguard: command not found

Make sure your Python scripts directory is in your PATH. On Windows, you may need to restart your terminal. Try running with python -m vibeguard scan . instead.

Scanner X is not available

Run vibeguard doctor to see which scanners are missing and how to install them. Some scanners require additional system dependencies.

Scan is very slow

Try excluding large directories with --exclude node_modules,dist,.git. You can also run specific scanners with --scanners secrets,deps instead of all 11.

SARIF upload fails

Make sure you're using --format sarif (not --format json). Check that the file path in your GitHub Action matches the --output path.

Patch generates incorrect fix

Patches are AI-generated and should always be reviewed. You can regenerate with a different model using --model, or manually edit the diff file before applying.

Need help?

Can't find what you're looking for? Check the GitHub repo for issues and discussions, or reach out directly.

Report an issue•Ask a question•Email support