Scanners

What gets checked

Hardcoded secrets, vulnerable dependencies, dangerous code patterns, cloud misconfigurations, and more. No single tool catches everything, so VibeGuard runs multiple scanners and gives you one unified result.

No config required. We detect your stack and run the right scanners automatically.

The tools under the hood

Each tool → what it catches → example finding.

Core

5 tools

Run on every scan, regardless of project type.

Semgrep

Dangerous code patterns

e.g., SQL injection, command injection, XSS

Gitleaks

Hardcoded secrets

e.g., API keys, tokens, passwords in code

Trivy

Vulnerable dependencies

e.g., Known CVEs in your packages

Bandit

Python security issues

e.g., Unsafe eval(), weak crypto, injection

TruffleHog

Secrets in git history

e.g., Keys committed then deleted

Ecosystem

3 tools

Run when we detect specific package managers.

npm-audit

Node.js vulnerabilities

e.g., Security advisories in node_modules

pip-audit

Python vulnerabilities

e.g., Security advisories in pip packages

cargo-audit

Rust vulnerabilities

e.g., Security advisories in Cargo crates

IaC & Containers

2 tools

Run when we detect infrastructure configuration.

Checkov

Cloud misconfigurations

e.g., Open S3 buckets, missing encryption

Dockle

Dockerfile issues

e.g., Running as root, missing healthcheck

Experimental

1 tool

Opt-in scanners for advanced use cases.

Nuclei

Runtime vulnerabilities

e.g., DAST scanning of running services

Smart detection

How we know which scanners to run

VibeGuard looks at your project structure and decides which scanners make sense. No config file required.

If we find...	We run...
`package.json`	npm-audit
`requirements.txt` or `pyproject.toml`	pip-audit + Bandit
`Cargo.toml`	cargo-audit
`Dockerfile`	Dockle
`*.tf` files	Checkov
`.git` directory	TruffleHog (history scan)

Always run: Gitleaks, Semgrep, and Trivy run on every scan regardless of project type - they work on any codebase.

Signal over noise

You don't need 500 warnings

You need 5 real problems.

Running 11 scanners produces a lot of raw output. VibeGuard's triage system turns that into something useful:

Deduplication

If Gitleaks and TruffleHog both find the same secret, you see it once - not twice.

Confidence filtering

Low-confidence findings (regex-based guesses, unlikely patterns) get suppressed.

Severity ranking

Critical issues (leaked production keys) surface above minor ones (informational).

Context awareness

A 'secret' in a test file with 'example' in the name? Probably not real.

The result: instead of scrolling through hundreds of scanner warnings, you get a short list of things that actually need attention.

See what the scanners find

Run your first scan in under a minute. No account required.

pip install vibeguard-cli