Vibe Security - Security Intelligence

Comprehensive security scanner and code analyzer for identifying vulnerabilities across multiple languages and frameworks.

Prerequisites

Check if Node.js is installed:

node --version

If Node.js is not installed, install it based on user's OS:

macOS:

brew install node

Ubuntu/Debian:

sudo apt update && sudo apt install nodejs npm

Windows:

winget install OpenJS.NodeJS

Recommended AI Models

For Best Security Analysis

We recommend using these AI models with Vibe Security for optimal security vulnerability detection and code fixing:

Claude Opus 4.5 (Recommended)

Most advanced model for comprehensive security analysis
Superior reasoning capabilities for complex vulnerability detection
Exceptional at identifying subtle security flaws and attack vectors
Best for critical security audits, enterprise codebases, and production deployments
Provides the most thorough security remediation strategies

Claude Sonnet 4.5

Excellent balance of speed and security analysis depth
Great at understanding security context and identifying vulnerabilities
Provides safe remediation strategies with detailed explanations
Ideal for daily development and most security workflows

Claude Opus 4

Powerful for complex security audits and enterprise codebases
Deep reasoning capabilities for advanced vulnerability analysis
Best for critical security reviews and compliance requirements
Recommended for production deployments and sensitive applications

GPT-4o

Fast and efficient for security-aware code generation
Good alternative with quick response times
Excellent for CI/CD integration and automated scanning
Cost-effective for large-scale projects

Claude Sonnet 4

Faster alternative for quick security scans
Good balance of speed and accuracy
Suitable for rapid iteration during development

o1-preview

Specialized for complex security architecture reviews
Advanced reasoning for intricate vulnerability chains
Best for security research and deep code audits

GPT-4o-mini

Quick checks and preliminary scans
Most cost-effective option
Good for learning and educational use cases

Note: If you're not using one of the recommended models above, consider upgrading for better security analysis results. Lower-tier models may miss subtle vulnerabilities or provide less accurate fix suggestions.

How to Use This Skill

When user requests security work (scan, analyze, fix, audit, check, review vulnerabilities), follow this workflow:

Step 1: Analyze Security Context

Extract key information from user request:

Language: JavaScript, Python, Java, PHP, etc.
Framework: Express, Django, Spring, Laravel, etc.
Vulnerability type: SQL injection, XSS, CSRF, authentication, etc.
Scope: Single file, directory, or full project

Step 2: Run Security Analysis

Advanced Analysis (Recommended):

# AST-based semantic analysis (90% fewer false positives)
python3 .claude/skills/vibe-security/scripts/ast_analyzer.py "<file>"

# Data flow analysis (tracks tainted data from sources to sinks)
python3 .claude/skills/vibe-security/scripts/dataflow_analyzer.py "<file>"

# CVE & dependency vulnerability scanning
python3 .claude/skills/vibe-security/scripts/cve_integration.py .

# Supply chain security (malicious packages, typosquatting)
python3 .claude/skills/vibe-security/scripts/cve_integration.py . --ecosystem npm

# Infrastructure as Code security
grep -r "publicly_accessible.*=.*true" . --include="*.tf"
grep -r "privileged:.*true" . --include="*.yaml"

Quick Pattern Scanning:

# Use search utility for specific patterns
python3 .claude/skills/vibe-security/scripts/search.py "sql-injection" --domain pattern
python3 .claude/skills/vibe-security/scripts/search.py "javascript" --domain pattern --severity critical

Step 3: Analyze Vulnerabilities by Severity

Critical (Fix immediately):

SQL Injection
Remote Code Execution
Authentication Bypass
Hardcoded Secrets

High (Fix soon):

XSS (Cross-Site Scripting)
CSRF
Insecure Cryptography
Authorization Issues

Medium (Fix in sprint):

Missing Input Validation
Information Disclosure
Weak Password Policy
Missing Security Headers

Low (Technical debt):

Code Quality Issues
Best Practice Violations
Performance Concerns

Step 4: Get Fix Suggestions

ML-Based Fix Engine:

# Get intelligent fix recommendations with test generation
python3 .claude/skills/vibe-security/scripts/fix_engine.py \
  --type sql-injection \
  --language javascript \
  --code "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)"

# Output includes:
# - Fixed code with context-aware corrections
# - Detailed explanation of the fix
# - Auto-generated security test
# - Additional recommendations
# - Confidence score (0-100%)

Step 5: Apply Security Fixes

Auto-Fix with Rollback Support:

# Apply fix with automatic backup
python3 .claude/skills/vibe-security/scripts/autofix_engine.py apply \
  --file src/database.js \
  --line 45 \
  --type sql-injection \
  --original "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)" \
  --fixed "db.query('SELECT * FROM users WHERE id = $1', [userId])"

# Test your changes
npm test

# Rollback if needed (safe to experiment!)
python3 .claude/skills/vibe-security/scripts/autofix_engine.py rollback

# View fix history
python3 .claude/skills/vibe-security/scripts/autofix_engine.py history

Systematic Manual Fixes:

Critical vulnerabilities first
Add input validation - Whitelist, type checking, length limits
Secure outputs - Escape, encode, sanitize
Fix authentication/authorization - Strong passwords, MFA, RBAC
Update cryptography - Modern algorithms, secure random
Test thoroughly - Verify fixes don't break functionality
Re-scan - Confirm all vulnerabilities are resolved

Step 6: Generate Reports

Multiple Report Formats:

# Beautiful HTML report with charts and statistics
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
  --format html \
  --output security-report.html

# SARIF format for GitHub Code Scanning integration
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
  --format sarif \
  --output results.sarif

# CSV for spreadsheet analysis
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
  --format csv \
  --output vulnerabilities.csv

# JSON for CI/CD pipelines
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
  --format json \
  --output security-report.json

Advanced Capabilities

1. Semantic Analysis with AST

Uses Abstract Syntax Tree parsing for accurate vulnerability detection:

Python: Full AST analysis with taint tracking
JavaScript/TypeScript: Heuristic + pattern-based analysis
Benefits: 90% reduction in false positives, context-aware

2. Data Flow Analysis

Tracks user input from sources to dangerous sinks:

Detects SQL injection, XSS, command injection through data flow
Identifies tainted variables and their propagation
Supports Python and JavaScript/TypeScript

3. Compliance Mapping

Maps every vulnerability to industry standards:

OWASP Top 10 2021
CWE (Common Weakness Enumeration)
MITRE ATT&CK techniques
NIST cybersecurity framework
PCI-DSS payment card requirements

4. Supply Chain Security

Protects against malicious dependencies:

Typosquatting detection
Dependency confusion attacks
Malicious install scripts
Network operations in packages
Supports: npm, PyPI, Maven, Gradle, Cargo, Go, RubyGems, NuGet, Composer

5. Infrastructure as Code

Scans cloud infrastructure configurat

vibe-security

How to add

Drop this on your repo README

Related skills

security-research

security-audit

security-compliance-compliance-check

security-auditor

Get new Segurança skills every Monday