guardvibe

[](https://www.npmjs.com/package/guardvibe) [](https://opensource.org/licenses/Apache-2.0) [](https://github.com/goklab/guardvibe/actions/workflows/ci.yml) [](https://www.npmjs.com/package/guardvibe) [](https://codecov.io/gh/goklab/guardvibe)

The security MCP built for vibe coding. 330 security rules, 29 tools covering the entire AI-generated code journey — from first line to production deployment.

Works with Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf, and any MCP-compatible coding agent.

Most security tools are built for enterprise security teams. GuardVibe is built for you — the developer using AI to build and ship web apps fast.

• 330 security rules, 29 tools purpose-built for the stacks AI agents generate
• Zero setup friction — npx guardvibe and you're scanning
• No account required — runs 100% locally, no API keys, no cloud
• Understands your stack — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
• CVE version intelligence — detects 21 known vulnerable package versions in package.json
• AI agent security — detects MCP server vulnerabilities, excessive AI permissions, indirect prompt injection
• Auto-fix suggestions — fix_code tool returns concrete patches the AI agent can apply
• Pre-commit hook — block insecure code before it reaches your repo
• CI/CD ready — GitHub Actions workflow with SARIF upload to Security tab
• Agent-friendly output — JSON format for AI agents, Markdown for humans, SARIF for CI/CD
• Plugin system — exten