Catch the mistakes AI tends to make
AI can generate working-looking code that leaks secrets, skips auth, builds unsafe queries, misses rate limits, or executes untrusted model output. VibeLint checks for those patterns early.
Loading VibeLint...
Loading VibeLint...
VibeLint checks code writes, tool calls, and workflow actions before they become risk. Block unsafe generated code, gate sensitive actions, and keep a searchable audit trail across IDEs, workflow builders, agent frameworks, and custom runtimes.
01 / What is VibeLint
VibeLint helps developers and teams secure AI-assisted development by checking generated code, agent tool calls, and workflow actions before they turn into real risk.
VibeLint is a security layer for AI coding agents. It scans AI-generated code, detects risky patterns, and helps developers prevent insecure code and unsafe agent actions from reaching real projects.
VibeLint helps you secure what AI writes, runs, and touches.
Code scanning flow:
AI Agent -> Code Change -> VibeLint Scan -> Risk Detection -> Allow / Warn / Block / LogAgent action flow:
AI Agent -> Tool Call or Action -> VibeLint Permission Check -> Allow / Block / Require Approval -> Log Evidence02 / Why use it
Once agents can write files, call tools, create records, send messages, or change production-adjacent systems, you need a security layer that checks actions before they happen and leaves evidence afterward.
AI can generate working-looking code that leaks secrets, skips auth, builds unsafe queries, misses rate limits, or executes untrusted model output. VibeLint checks for those patterns early.
When agents call tools, send messages, update records, or change files, VibeLint can return allow, block, or require approval decisions.
Action logs record the agent, tool, action, status, risk level, approval state, and redacted context so you are not guessing what happened after the fact.
Free is enough to try local code checks. Pro is useful when you rely on AI coding daily and want the full detector suite, logs, permissions, approvals, and dashboard history.
Traditional SAST tools
Traditional scanners usually review repositories, pull requests, or dependencies after code exists. VibeLint focuses on the moment AI tries to create, modify, or act on code.
Dependency scanners
Dependency tools focus on packages. VibeLint includes dependency risk as one part of a broader AI agent security loop.
Manual review
Manual code review is still important. VibeLint catches common AI-generated risks earlier so reviewers spend less time on preventable mistakes.
AI coding assistants
Coding assistants generate code. VibeLint checks the generated code and agent actions for risk before they land.
03 / Who it is for
VibeLint is useful whenever an AI system can produce code, modify files, call APIs, use tools, or run a workflow that affects a project or customer.
Developers using AI coding assistants who want a fast security check before generated code enters their project.
Small teams shipping quickly with AI tools that need visibility into secrets, auth mistakes, injection risk, and risky agent activity.
Teams allowing agents to edit files, call tools, touch APIs, update data, or run workflow actions in real projects.
Builders who want lightweight AI security without rolling out a heavy enterprise security stack before the product is ready.
04 / How it works
The core idea is simple: check the risky thing before it becomes a real change, then record enough evidence to understand what happened later.
A coding agent, workflow agent, or custom runtime prepares to write code, call a tool, or take an action.
VibeLint scans generated code, checks permission policy, scores action risk, and looks for detector matches.
The action can be allowed, warned, blocked, logged, or gated behind approval depending on the plan and policy.
Scan metadata, issue summaries, permission decisions, action status, risk level, and redacted context become reviewable history.
05 / Setup
VibeLint supports two integration paths: MCP for IDE code scanning and HTTP API for agent permissions, logs, and approvals from any runtime.
vibelint --version
vibelint auth vl_license_your_key_here
vibelint scan .The dashboard gives you the account-specific install command, license setup, MCP config snippets, and agent keys. This page explains the flow so you know what each step is doing before you copy the exact values from your dashboard.
Cursor
Add VibeLint to the Cursor MCP config.
Windsurf
Add VibeLint to the Windsurf MCP config.
Claude Code
Register VibeLint through the Claude MCP command.
VS Code
Use a project-level MCP server config.
Antigravity
Add VibeLint as an MCP server.
Codex
Add a VibeLint MCP server block to the Codex config.
n8n
Use HTTP nodes to call VibeLint permission checks and log agent actions.
Zapier Agents
Call VibeLint API from Zapier actions for permission and logging.
Make
Use HTTP modules to connect AI agent workflows to VibeLint.
Dify
Add VibeLint API calls as tool nodes in Dify workflows.
Flowise
Connect Flowise agents to VibeLint via HTTP tool nodes.
LangChain / LangGraph
Add VibeLint permission checks as tool calls in LangGraph agents.
CrewAI
Wrap VibeLint API calls as CrewAI tools for agent security.
OpenAI Agents SDK
Register VibeLint as a function tool in the OpenAI Agents SDK.
Custom agents
Any runtime that can call HTTP can use VibeLint for permissions, logs, and approvals.
06 / Core features
Together these cover the most important risk surfaces in AI-assisted development: what the agent writes, what it tries to do, and what evidence remains.
VibeLint scans AI-generated or AI-edited code for risky patterns before the code becomes part of a project.
The detector library covers common mistakes introduced by AI coding tools, including secrets, injection, auth, config, AI-specific risk, and dependencies.
VibeLint can run as an MCP server so compatible coding agents can call it during code generation and review.
Teams can create named agent identities and scoped agent keys for runtimes that send action logs or permission checks.
Action logs show what AI agents attempted or executed, including tool, action, status, risk level, timing, rollback reference, and redacted metadata.
Permission policies define what agents may do, what should be blocked, and what requires human approval first.
The dashboard helps review scans, projects, detectors, agents, action logs, policy decisions, approvals, plan limits, and setup state.
Code scanning runs locally by default. Dashboard sync focuses on metadata and summaries rather than raw source files.
07 / Security rules
Free includes the starter detector set. Pro and Max include the full current detector suite for deeper coverage across AI-specific risks, dependencies, auth, rate limits, and more.
API keys, tokens, passwords, private keys, and credentials embedded directly in source code.
Why it matters
Secrets in code can leak through commits, logs, screenshots, bundles, or copied snippets.
VibeLint behavior
Warns or blocks depending on plan, policy, and workflow configuration.
Safer alternative
Move secrets to environment variables or a secrets manager, then reference them through safe configuration.
Weak auth checks, unsafe password handling, unverified sessions, or patterns that make authentication easy to bypass.
Why it matters
AI-generated auth code can look complete while missing the actual security checks that protect user data.
VibeLint behavior
Flags risky auth patterns and provides fix hints for safer validation.
Safer alternative
Use verified sessions, strong password hashing, explicit permission checks, and trusted auth helpers.
SQL, NoSQL, XSS, command injection, and path traversal patterns where untrusted input reaches sensitive sinks.
Why it matters
Injection bugs are common when AI builds strings from user input without parameterization or escaping.
VibeLint behavior
Flags unsafe input flow and highlights the risky sink.
Safer alternative
Use parameterized queries, escaping, strict validation, and safe framework primitives.
Insecure defaults such as debug mode, broad host settings, or risky framework options.
Why it matters
Configuration generated for local demos can accidentally reach production.
VibeLint behavior
Flags settings that should be environment-specific or hardened before deploy.
Safer alternative
Use environment-aware config and fail closed for production settings.
Overly permissive cross-origin policies such as wildcard origins with sensitive endpoints.
Why it matters
Loose CORS can expose authenticated browser requests to untrusted origins.
VibeLint behavior
Warns when CORS appears broader than the endpoint needs.
Safer alternative
Allow only trusted origins and avoid combining wildcard access with credentials.
Security issues surfaced by static-analysis rules used by the scanner.
Why it matters
Static patterns catch known risky constructs that are easy to miss during fast AI-assisted development.
VibeLint behavior
Reports findings with detector type and severity.
Safer alternative
Apply the suggested remediation or ask the AI agent to rewrite the risky block.
Unsanitized user input passed into LLM prompts or instruction contexts.
Why it matters
Prompt injection can manipulate an agent into ignoring rules, exposing data, or taking unwanted actions.
VibeLint behavior
Flags prompt construction patterns that mix untrusted input with privileged instructions.
Safer alternative
Separate trusted instructions from user data, validate inputs, and constrain tool access.
Executing, evaluating, or running output from an LLM without validation.
Why it matters
Generated output can contain malicious commands, unsafe code, or unexpected payloads.
VibeLint behavior
Flags dynamic execution paths fed by model output.
Safer alternative
Treat model output as untrusted, validate structure, and use explicit allowlists before execution.
Known vulnerable packages or dependency patterns found in project manifests.
Why it matters
AI agents often install packages quickly without checking the security history of what they add.
VibeLint behavior
Reports known dependency risk when available to the scanner.
Safer alternative
Upgrade, pin safe versions, replace abandoned packages, and review new dependencies before merge.
Public or sensitive endpoints that appear to lack rate limiting controls.
Why it matters
Missing rate limits can turn a useful endpoint into an abuse vector.
VibeLint behavior
Flags endpoints that should add throttling or quota protection.
Safer alternative
Add rate limits by route, user, IP, token, or workload type.
Endpoints or routes that appear to expose sensitive data or actions without authentication.
Why it matters
AI can generate complete-looking APIs while forgetting the guard that proves who is calling.
VibeLint behavior
Flags routes where auth appears absent or too weak.
Safer alternative
Require authenticated users, service tokens, roles, or explicit permission checks before sensitive work.
08 / Policies, actions, and audit trails
VibeLint can treat agent work as structured decisions: the agent, tool, action, risk, policy result, approval state, and redacted context are separated so teams can understand what happened.
{
"rules": {
"hardcoded_secrets": "block",
"sql_injection": "block",
"missing_rate_limit": "warn",
"auth_changes": "require_approval",
"destructive_shell": "block"
}
}{
"agent": "coding-agent",
"tool": "file",
"action": "write",
"status": "gated",
"risk_level": "high",
"decision": "require_approval",
"metadata": "[redacted context]"
}allow
Continue immediately.
warn
Surface risk for review.
block
Stop the action or code change.
require_approval
Pause for human review.
log
Record searchable evidence.
09 / Integrations
It is not an agent builder. It is the security, permission, and evidence layer around IDE agents, workflow builders, agent frameworks, and custom runtimes.
POST https://vibelint.dev/api/agent-actions/log
Authorization: Bearer vl_agent_your_key
{
"tool": "stripe",
"action": "issue_refund",
"status": "executed",
"reasoning_summary": "Customer was double charged",
"rollback_available": true
}POST https://vibelint.dev/api/agent-permissions/check
Authorization: Bearer vl_agent_your_key
{
"tool": "database",
"action": "update_records",
"input": { "record_count": 12 },
"rollback_available": false
}10 / Plans
Start with Free to try local AI code protection. Upgrade to Pro when AI is part of your daily development workflow and you want the full detector suite, action logs, permissions, approvals, and dashboard history. Use Max when you need higher production-volume limits.
$0 forever
Best for: Trying VibeLint and protecting personal AI coding workflows.
Includes: Local MCP scanner, pre-write checks, Free detector set, pre-commit hook, remediation hints, 1 project, 20 monthly scans, 1 agent, 100 monthly action logs, 7-day scan and log retention.
$19.99/month, $199/year, or limited-time $199 lifetime Pro
Best for: Builders using AI coding tools daily and needing full detector coverage plus visibility.
Includes: Everything in Free, all 11 detectors, prompt injection and LLM output execution checks, 10 projects, 1,000 monthly scans, 10 agents, 25,000 monthly action logs, policies, approvals, security score, weekly digest, 30-day retention.
$49/month or $469/year
Best for: High-volume production agent security.
Includes: Everything in Pro, 50 projects, 10,000 monthly scans, 50 agents, 250,000 monthly action logs, 250 policies, 2,500 rules, 2,500 pending approvals, 90-day retention.
Contact VibeLint
Best for: Security review, procurement, custom terms, and regulated team needs.
Includes: Custom terms, security review, procurement-friendly billing, priority engineering support, and implementation guidance.
11 / Trust and privacy
VibeLint is designed to give you useful security signals and agent audit history while keeping the scanning workflow lightweight. The scanner runs locally by default, and dashboard sync focuses on findings, summaries, and action evidence instead of full source files.
The scanner runs locally by default so VibeLint can review generated code without making source-code upload the core workflow.
When scan history syncs to the dashboard, it is focused on security metadata such as detector type, severity, project/file context, descriptions, fix hints, and timestamps.
For HTTP agent logs and permission checks, VibeLint stores the structured context your agent sends and masks common sensitive key names before showing it in the audit trail.
If you find a vulnerability, email hi@vibelint.dev with the affected area, reproduction steps, impact, and enough detail for the issue to be confirmed.
12 / FAQ
Short answers for the things people usually want to know before they install VibeLint, connect an agent, or choose a paid plan.
Yes, but it is more than that. VibeLint is an AI agent security layer that also includes agent action logs, permission policies, approval workflows, and audit history for agent behavior.
No. VibeLint works with IDE agents like Cursor, Windsurf, Claude Code, VS Code, Antigravity, and Codex. It also works with workflow builders like n8n, Zapier, Make, Dify, and Flowise, and agent frameworks like LangChain, CrewAI, and OpenAI Agents SDK. Any tool that can make HTTP calls can integrate with VibeLint.
For IDE agents, add VibeLint as an MCP server. For workflow builders and agent frameworks, use the VibeLint HTTP API with your agent key. Call the permission check endpoint before sensitive actions and the action log endpoint after each action.
No. VibeLint catches common AI-generated risks early and gives reviewers better evidence, but teams should still use normal security review practices.
Code scanning runs locally by default. Dashboard sync focuses on metadata, summaries, detector names, severity, file context, decisions, approvals, and redacted action context rather than raw source files.
Yes, VibeLint can return block decisions for permission checks and flag or block risky code depending on workflow configuration and policy.
The current public examples emphasize JavaScript, TypeScript, and Python-style workflows. Detector behavior depends on the code, scanner package, and rule coverage available to your plan.
If you only want to try local AI code checks, start with Free. If AI is now part of your daily development workflow, Pro is usually the useful tier because it adds the full detector suite, action logs, permission policies, approvals, security score, and longer history.
Start with Free if you are evaluating the scanner. Choose Pro if you want serious daily coverage for AI coding and agent workflows. Choose Max if you run many agents or need higher scan, log, policy, rule, and retention limits.
Those tools are valuable, but they usually focus on repository, dependency, or pull request security. VibeLint focuses on AI agent workflows, pre-write checks, permissions, and action evidence.