VibeSecPro uses a high-performance regex-based engine to scan your code for security vulnerabilities in real-time. Below is a comprehensive list of the rules currently implemented.
Detection of hardcoded credentials that could lead to unauthorized access if committed to version control.
| ID | Severity | Languages | Message |
|---|---|---|---|
openai-key |
🔴 Critical | JS, TS, PY | Hardcoded OpenAI API Key detected. |
aws-access-key |
🔴 Critical | JS, TS, PY | Hardcoded AWS Access Key ID detected. |
supabase-key |
🔴 Critical | JS, TS, PY | Hardcoded Supabase Key detected. |
firebase-key |
🔴 Critical | JS, TS, PY | Hardcoded Firebase API Key detected. |
rsa-private-key |
🔴 Critical | JS, TS, PY | RSA Private Key detected in code. |
hardcoded-jwt |
🔴 Critical | JS, TS | Hardcoded JWT secret detected. |
Ensures your APIs are not exposed to common network-based attacks.
| ID | Severity | Languages | Message |
|---|---|---|---|
open-cors |
🟠 High | JS, TS | CORS policy allowing all origins ('*'). |
missing-rate-limit |
🟠 High | JS, TS | API route potentially missing rate limiting. |
Detection of patterns that allow attackers to inject malicious data into queries or prompts.
| ID | Severity | Languages | Message |
|---|---|---|---|
sql-injection |
🔴 Critical | JS, TS | Potential SQL Injection via template literals. |
nosql-injection |
🔴 Critical | JS, TS | Potential NoSQL Injection via direct request input. |
xss-innerHTML |
🟠 High | JS, TS | Potential XSS via innerHTML assignment. |
prompt-injection |
🟠 High | JS, TS, PY | Potential AI Prompt Injection risk detected. |
Patterns that use inherently insecure system functions.
| ID | Severity | Languages | Message |
|---|---|---|---|
js-eval |
🔴 Critical | JS, TS | Dangerous function 'eval()' detected. |
js-exec |
🔴 Critical | JS, TS | Dangerous function 'child_process.exec()' detected. |
py-pickle |
🔴 Critical | PY | Dangerous function 'pickle.loads()' detected. |
py-shell |
🔴 Critical | PY | Subprocess called with 'shell=True' detected. |
Detection of weak cryptographic algorithms or insecure authentication flows.
| ID | Severity | Languages | Message |
|---|---|---|---|
insecure-md5 |
🟠 High | JS, TS, PY | Weak hash algorithm (MD5) used. |
insecure-sha1 |
🟠 High | JS, TS, PY | Weak hash algorithm (SHA-1) used. |
weak-rsa-key |
🟠 High | JS, TS | Weak RSA key length detected (< 2048 bits). |
insecure-random |
🟡 Medium | JS, TS, PY | Insecure random number generation (Math.random). |
Security risks related to file access and path handling.
| ID | Severity | Languages | Message |
|---|---|---|---|
path-traversal |
🟠 High | JS, TS, PY | Potential Path Traversal: Direct file system access with user input. |
VibeSecPro is optimized for the Vibe Coding generation. Speed + Security.