How it works

From command to fix,
step by step

Here's exactly what happens when you run vibeguard scan .

No magic. No black boxes. Just a straightforward pipeline that turns your code into a prioritized list of things to fix.

The pipeline

Six stages transform your codebase into actionable security insights. Each stage has one job, and does it well.

Step 1

Scan

Run 11 security tools against your codebase. Secrets, dependencies, code patterns, IaC configs - all checked in one command.

Step 2

Normalize

Convert outputs from different tools into a consistent format. Every finding gets the same structure, regardless of which scanner found it.

Step 3

Triage

Suppress noise, deduplicate, and surface only findings that matter. This is where 500 warnings become 5 real problems.

Step 4

Report

Generate a score (0-100), a grade (A-F), and output in your format of choice: terminal, JSON, HTML, or SARIF.

Step 5

Patch

Generate a unified diff for each finding using your LLM provider. The diff is saved locally for you to review before anything changes.

Step 6

Apply

Apply the diff with git safety checks. Dry-run first, revert if needed. No auto-merges, no surprise commits.

What is a "finding"?

A finding is when a scanner detected something worth your attention: a risky pattern, a vulnerable dependency, a misconfiguration, or an exposed secret.

Every finding includes the same information, no matter which tool discovered it:

Location

File path and line number

Severity

Critical, High, Medium, or Low

Description

Plain-English explanation of the issue

Source

Which scanner found it

Examples of findings

Secret
critical

AWS access key hardcoded in config.py

Dependency
high

pyyaml 5.3.1 has a known deserialization bug

Code Pattern
high

SQL query built with string concatenation

Misconfiguration
medium

Dockerfile runs as root user

How triage works

Running 11 scanners can produce hundreds of results. Triage filters that down to what actually matters.

You don't need 500 warnings.

You need 5 real problems.

What triage does:

Deduplicates: If three scanners find the same secret, you see it once.
Suppresses noise: Low-confidence findings and known false positives get filtered out.
Prioritizes: Critical findings (like exposed secrets) rise to the top.
Respects baselines: If you've marked something as 'accepted risk,' it won't keep nagging you.

From finding to fix

Once triage surfaces the real problems, two commands handle the rest: patch generates a fix, and apply puts it into action. Neither changes anything without your say-so.

What patch does

  • Generates a unified diff you can review
  • Uses your LLM provider with your API key
  • Validates the diff syntax before saving
  • Adds "manual review required" markers when uncertain

What patch doesn't do

  • Does not auto-merge or auto-commit
  • Does not open pull requests
  • Does not run tests automatically
  • Does not change your files without explicit apply
Example: finding-001.diff
@@ -12,7 +12,7 @@ config.py
- API_KEY = 'sk-live-abc123xyz789'
+ API_KEY = os.environ.get('API_KEY')

@@ -1,4 +1,5 @@
+ import os
  from flask import Flask

How apply works

1

Git safety check

Verifies you have a clean working tree and the file hasn't changed since the scan.

2

Dry-run preview

Shows exactly what will change before applying. You can abort here if something looks wrong.

3

Apply patch

Applies the diff using standard patch tooling. Creates a backup automatically.

4

Verification

Confirms the patch was applied correctly. If not, suggests next steps.

Need to undo? Run vibeguard apply --revert to roll back the last applied patch.

See it in action

Install VibeGuard and run your first scan in under a minute. No account required.

pip install vibeguard-cli