{"id":47769992,"url":"https://github.com/rohansx/vibeguard","last_synced_at":"2026-04-03T08:53:15.529Z","repository":{"id":341586008,"uuid":"1165601308","full_name":"rohansx/vibeguard","owner":"rohansx","description":"Security Property Graph (SPG) oracle for AI coding agents.","archived":false,"fork":false,"pushed_at":"2026-03-02T12:57:59.000Z","size":244,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-02T16:39:43.526Z","etag":null,"topics":["ai-agents","claude-code","cursor","devsecops","golang","mcp","security","static-analysis","taint-analysis"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rohansx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-24T10:42:43.000Z","updated_at":"2026-02-24T20:55:20.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rohansx/vibeguard","commit_stats":null,"previous_names":["rohansx/vibeguard"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/rohansx/vibeguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rohansx%2Fvibeguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rohansx%2Fvibeguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rohansx%2Fvibeguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rohansx%2Fvibeguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rohansx","download_url":"https://codeload.github.com/rohansx/vibeguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rohansx%2Fvibeguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31343782,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T08:03:20.796Z","status":"ssl_error","status_checked_at":"2026-04-03T08:00:37.834Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","claude-code","cursor","devsecops","golang","mcp","security","static-analysis","taint-analysis"],"created_at":"2026-04-03T08:53:14.658Z","updated_at":"2026-04-03T08:53:15.521Z","avatar_url":"https://github.com/rohansx.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VibeGuard\n\n**Security Property Graph (SPG) oracle for AI coding agents.** VibeGuard builds a persistent, live graph encoding the full security semantics of your codebase — taint sources, sinks, sanitizers, trust boundaries, attack paths — and exposes them to AI coding agents (Cursor, Claude Code) via MCP, so agents write secure code by construction.\n\nNo code leaves your machine. Runs locally on stdio. Sub-500ms incremental updates.\n\n## How It Works\n\n```\n┌─────────────────────────────────────────────────────────────────────┐\n│                         YOUR CODEBASE                               │\n│   Python · TypeScript · JavaScript · Go                             │\n└──────────────┬──────────────────────────────────────────────────────┘\n               │  file save (inotify / FSEvents)\n               ▼\n┌──────────────────────────────────────────────────────────────────────┐\n│  VGX DAEMON                                                          │\n│                                                                      │\n│  ┌──────────────┐   ┌──────────────┐   ┌──────────────────────────┐ │\n│  │  Parser       │──▶│  SPG Builder  │──▶│  Taint Propagation (BFS) │ │\n│  │  (per-file)   │   │  (classify    │   │  source → sink paths     │ │\n│  │               │   │   nodes/edges)│   │  sanitizer detection     │ │\n│  └──────────────┘   └──────────────┘   └──────────────────────────┘ │\n│                                                                      │\n│  ┌──────────────────────────────────────────────────────────────────┐│\n│  │  MCP Server (stdio)                                              ││\n│  │  8 deterministic security query tools → structured JSON          ││\n│  └──────────────────────────────────────────────────────────────────┘│\n└──────────────┬───────────────────────────────────────────────────────┘\n               │  stdio (MCP protocol)\n               ▼\n┌──────────────────────────────────────────────────────────────────────┐\n│  AI CODING AGENT (Cursor / Claude Code / Copilot)                    │\n│  Queries SPG before writing code → writes secure code by default     │\n└──────────────────────────────────────────────────────────────────────┘\n```\n\n## Quick Start\n\n### Prerequisites\n\n- [Go](https://golang.org/) 1.23+\n\n### Install and run\n\n```bash\n# Clone\ngit clone git@github.com:rohansx/vibeguard.git\ncd vibeguard\n\n# Build\ncd apps/vgx \u0026\u0026 go build -o vgx ./cmd/vgx/\n\n# Initialize SPG for any repository\n./vgx init /path/to/your/repo\n\n# Start daemon (file watcher + MCP server on stdio)\n./vgx serve --repo /path/to/your/repo\n```\n\n### Connect to Cursor / Claude Code\n\nAdd to your project's `.mcp.json`:\n\n```json\n{\n  \"mcpServers\": {\n    \"vibeguard\": {\n      \"command\": \"/path/to/vgx\",\n      \"args\": [\"serve\", \"--repo\", \".\"]\n    }\n  }\n}\n```\n\nThe agent can now query your codebase's security properties in real time.\n\n## MCP Tools\n\nAll tools return deterministic structured JSON. Same query + same code = same result. No LLM in the verification path — pure graph traversal.\n\n| Tool | Security Question | Status |\n|------|------------------|--------|\n| `query_taint_paths(sink)` | Unsanitized data flows reaching this sink? | Phase 1 |\n| `get_attack_surface(module)` | All untrusted entry points for this module? | Phase 1 |\n| `find_missing_sanitizers()` | Where does tainted data reach a sink without sanitization? | Phase 1 |\n| `trace_data_flow(node_id, symbol, file)` | Where does this variable travel through the codebase? | Phase 1 |\n| `calculate_blast_radius(function)` | What security properties change if I modify this? | Phase 1 |\n| `get_security_context(file)` | Full security posture of this file? | Phase 1 |\n| `get_trust_boundary_violations()` | Paths crossing trust boundaries without auth? | Phase 2 |\n| `check_auth_coverage(endpoint)` | Does this endpoint enforce auth? | Phase 2 |\n\n### Example: query taint paths\n\n```\nAgent → query_taint_paths(sink: \"sqli\")\n\nVibeGuard → {\n  \"query\": \"sqli\",\n  \"path_count\": 1,\n  \"paths\": [{\n    \"vuln_class\": \"sqli\",\n    \"severity\": \"high\",\n    \"confidence\": 0.95,\n    \"source\": { \"symbol\": \"request.args.get\", \"file_path\": \"app.py\", \"line\": 12 },\n    \"sink\": { \"symbol\": \"cursor.execute\", \"file_path\": \"db.py\", \"line\": 34 },\n    \"path_length\": 3\n  }],\n  \"proof\": \"UNSANITIZED_PATHS_FOUND: 1 path(s) detected\"\n}\n```\n\n## CLI Commands\n\n```bash\nvgx init [path]           # Build initial SPG for a repository\nvgx serve                 # Start daemon: file watcher + MCP server (stdio)\nvgx serve --api           # Also start team sync REST API on :8080\nvgx query \u003ctool\u003e [args]   # Run a security query against the live SPG\nvgx report                # Generate security posture report\nvgx diff [ref]            # Show SPG changes since a git ref\nvgx ci                    # CI mode: exit non-zero on new taint paths\n```\n\n## What Gets Classified\n\nVibeGuard classifies security-relevant nodes across 4 languages and 8+ frameworks:\n\n| Language | Frameworks | Sources | Sinks | Sanitizers |\n|----------|-----------|---------|-------|------------|\n| Python | FastAPI, Django, Flask | `request.args`, `request.form`, `Body()`, `Query()` | `cursor.execute`, `subprocess.run`, `eval`, `open` | `html.escape`, `markupsafe.escape`, `bleach.clean` |\n| TypeScript/JS | Express, Next.js | `req.body`, `req.params`, `req.query`, `searchParams` | `pool.query`, `exec`, `innerHTML`, `eval` | `DOMPurify.sanitize`, `escape`, `encodeURI` |\n| Go | Chi, Gin, net/http | `r.URL.Query()`, `r.FormValue`, `c.Param` | `db.Query`, `exec.Command`, `template.HTML` | `html.EscapeString`, `filepath.Clean`, `url.QueryEscape` |\n\n### Vulnerability Classes\n\n| Class | Severity | Description |\n|-------|----------|-------------|\n| `rce` | Critical | Remote code execution via eval/exec |\n| `deserialization` | Critical | Unsafe deserialization of untrusted data |\n| `sqli` | High | SQL injection via string interpolation |\n| `ssrf` | High | Server-side request forgery |\n| `xss` | Medium | Cross-site scripting via unsanitized output |\n| `path_traversal` | Medium | Directory traversal via user-controlled paths |\n\n## Architecture\n\n```\napps/vgx/\n├── cmd/vgx/                  # CLI entrypoints (Cobra)\n│   ├── main.go               # Root command + version\n│   ├── init.go               # vgx init — build SPG\n│   ├── serve.go              # vgx serve — daemon + MCP\n│   ├── query.go              # vgx query — security queries\n│   ├── report.go             # vgx report — posture report\n│   ├── diff.go               # vgx diff — SPG delta\n│   └── ci.go                 # vgx ci — CI/CD gate\n├── internal/\n│   ├── parser/               # Per-file parsing + security node extraction\n│   │   └── parser.go         # Python, TypeScript, Go regex-based classifier\n│   ├── graph/                # Security Property Graph\n│   │   ├── nodes.go          # Node/Edge/TaintPath type definitions\n│   │   ├── store.go          # In-memory graph + bbolt persistence\n│   │   └── builder.go        # ParsedFile → SPG (classify + build edges)\n│   ├── taint/                # Taint propagation engine\n│   │   └── engine.go         # BFS source→sink, sanitizer-aware\n│   ├── mcp/                  # MCP server (mark3labs/mcp-go)\n│   │   ├── server.go         # Tool registration + stdio transport\n│   │   └── tools.go          # 8 query tool handlers\n│   ├── watcher/              # File watcher (fsnotify)\n│   │   └── watcher.go        # Debounced inotify/FSEvents\n│   ├── daemon/               # Orchestrator\n│   │   └── daemon.go         # Init, Serve, incremental updates\n│   ├── api/                  # Team sync REST API (Chi)\n│   │   ├── router.go\n│   │   └── handlers/\n│   ├── config/               # Environment config\n│   └── db/                   # pgx/v5 pool (team sync only)\n└── db/migrations/            # SQL migrations (dbmate)\n```\n\n## Incremental Updates\n\nWhen you save a file, VibeGuard:\n\n1. Detects the change via `fsnotify` (~5ms)\n2. Re-parses only the changed file\n3. Removes stale nodes/edges for that file\n4. Rebuilds security nodes + data-flow edges\n5. Re-propagates taint paths through the graph\n\nTotal latency: typically \u003c 500ms per file change.\n\n## Team Sync (Optional)\n\nFor teams sharing security metadata across repos:\n\n```bash\n# Start with team sync API\npodman compose -f docker/docker-compose.yml up\nvgx serve --api --port 8080\n```\n\nRequires PostgreSQL for shared metadata storage. The local SPG always lives on-disk at `~/.vibeguard/graph/` — PostgreSQL only stores team sync metadata and calibration events.\n\n## Environment Variables\n\n| Variable | Required | Purpose |\n|----------|----------|---------|\n| `SPG_STORE_PATH` | No | Override graph store path (default: `~/.vibeguard/graph/`) |\n| `DATABASE_URL` | For team sync | PostgreSQL connection string |\n| `ANTHROPIC_API_KEY` | Phase 2 | Claude Sonnet for hybrid sanitizer classification |\n| `CLERK_SECRET_KEY` | For team sync | Authentication for Pro/Team tier |\n\n## Roadmap\n\n- **Phase 1 (current):** Core SPG daemon + 6 MCP tools + CLI + Python/TS/Go support\n- **Phase 2:** VS Code extension (D3.js attack path viz), trust boundary detection, GitHub Action, team tier\n- **Phase 3:** Java/Rust support, calibration flywheel, enterprise, multi-repo federation\n\n## License\n\nProprietary. All rights reserved.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frohansx%2Fvibeguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frohansx%2Fvibeguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frohansx%2Fvibeguard/lists"}