Simple by design

Paste. Scan. Fix.

VibeScan lives inside your AI assistant. No IDE plugins, no CI configs, no new tools to learn.

Submit your code

In Claude, type: "Scan this code for security issues" and paste your code. In ChatGPT, use the VibeScan GPT. Or call the REST API directly with curl.

You can submit a code snippet (paste), a .zip archive (upload), or a GitHub repo URL. Public and private repos supported.

> Scan this code for security issues:
>
> const db_url = "postgresql://admin:p4ssw0rd@prod:5432/app";
> app.get('/user', (req, res) => {
>   db.query("SELECT * FROM users WHERE id = '" + req.params.id + "'");
> });
> app.use(cors());

VibeScan runs 10 pipeline stages

Your code enters an ephemeral container. Five scanning engines run in parallel. Code is deleted the moment the scan finishes.

1. Prepare workspace

2. Inventory files + languages

3. Gitleaks secret scan

4. Betterleaks entropy scan

5. Opengrep SAST analysis

6. Dependency CVE lookup

7. Hallucinated package check

8. AI pattern analysis

9. Deduplicate + score

10. Cleanup workspace

Your AI explains every finding

VibeScan returns structured JSON — severity, category, evidence, remediation hints. Claude or ChatGPT reads it and translates to plain English. Ask for fixes and it writes them.

🔴 CRITICAL — Hardcoded database password

Line 1 of your code contains a PostgreSQL connection string with a plaintext password. If this file is committed to a repository, anyone with access can connect to your production database.

Fix: Move the connection string to an environment variable:

const db_url = process.env.DATABASE_URL;

Important: VibeScan has no AI

VibeScan is a scanning pipeline, not an LLM. It returns structured findings. Claude and ChatGPT are the AI layer — they read the findings and explain them using their own intelligence. No Bedrock, no OpenAI API, no LLM on our servers. This means explanations are as good as your AI platform — and they're getting better every day without us changing anything.