In the fast-paced world of “vibecoding,” where developers use AI to build applications rapidly, a new open-source tool is stepping up to tackle security risks.
SecureVibes, created by developer Anshuman Bhartiya, leverages Anthropic’s Claude AI through a multi-agent system to detect vulnerabilities in codebases automatically.
Released in October 2025, this Python-based scanner aims to make professional-grade security analysis accessible without needing deep expertise.
At its core, SecureVibes employs five specialized AI agents that collaborate like a human security team. The Assessment Agent maps out the codebase architecture, creating a SECURITY.md file with key details like data flows and dependencies.
Next, the Threat Modeling Agent applies STRIDE methodology to identify potential threats, outputting a THREAT_MODEL.json file. The Code Review Agent then scrutinizes the code against these threats, validating issues and generating VULNERABILITIES.json with specifics like file paths and line numbers.
An optional DAST Agent performs dynamic testing on a running app via a target URL, adding exploitability checks through Claude Agent Skills. Finally, the Report Generator compiles everything into actionable reports in formats like Markdown or JSON.
Supporting 11 languages, including Python, JavaScript, TypeScript, Go, and more, SecureVibes smartly detects project types and excludes irrelevant directories, such as venv/ for Python or node_modules/ for JS.
| Language | Extensions | Auto-Excluded Directories |
|---|---|---|
| Python | .py |
venv/, env/, .venv/, __pycache__/, .pytest_cache/, .tox/, .eggs/, *.egg-info/ |
| JavaScript | .js, .jsx |
node_modules/, .npm/, .yarn/ |
| TypeScript | .ts, .tsx |
node_modules/, .npm/, .yarn/, dist/, build/ |
| Go | .go |
vendor/, bin/, pkg/ |
| Ruby | .rb |
vendor/, .bundle/, tmp/ |
| Java | .java |
target/, build/, .gradle/, .m2/ |
| PHP | .php |
vendor/, .composer/ |
| C# | .cs |
bin/, obj/, packages/ |
| Rust | .rs |
target/ |
| Kotlin | .kt |
build/, .gradle/ |
| Swift | .swift |
.build/, .swiftpm/, Packages/ |
It handles mixed-language projects seamlessly, ensuring thorough scans. Installation is straightforward: pip install securevibes for the stable release, or clone the GitHub repo for the latest features.
Users authenticate via Claude’s CLI session or API key, then run “securevibes scan .” for a full analysis, with options for verbosity, severity filters, or sub-agent runs to cut costs.
What sets SecureVibes apart from traditional SAST tools like Semgrep or Bandit? In self-tests, it uncovered 16-17 vulnerabilities in its own codebase, four times more than single-agent AI like Claude Code, while rules-based scanners found zero.
This progressive, context-aware approach reduces false positives by requiring concrete evidence for each issue. Costs are reasonable, around $2-3 per scan using the Sonnet model, though Opus offers deeper analysis at a premium.
Privacy is prioritized: Only code and relative paths are sent to Anthropic, with no secrets or absolute paths shared. Bhartiya encourages reviewing Anthropic’s policy before scanning sensitive code. A Python API enables integration into CI/CD pipelines for automated checks.
Available on GitHub under AGPL license, SecureVibes is evolving with recent additions like DAST validation and skills for advanced testing. As vibecoding grows, tools like this could bridge the security gap in AI-driven development, helping devs ship safer apps faster.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
