Your AI just hard-coded your API key.
VibeLint caught it. You didn't have to.

Intercepts vulnerable code
before it touches your files.

A security scanner that runs inside your IDE — Cursor, Claude Code, Windsurf — and intercepts vulnerable AI-generated code before it ever touches your files.

vibelint — scan output

Free to start. No credit card. Works in 5 min.

You're in. We'll be in touch.

The #1 launch killer for vibe-coded projects?
Security holes you never wrote.

When you're building with AI, you move fast. You describe a feature, the agent writes the code, you ship. But AI models don't think about security the way you'd want them to. They hard-code API keys. They build SQL queries with string concatenation. They hash passwords with MD5. And none of it gets flagged — it just lands silently in your codebase.

The problem

AI agents generate code that works — but "works" and "secure" are two different things. A single exposed API key or unparameterized query can take down your entire project. And you won't catch it in a code review you never do.

The fix

VibeLint runs as an MCP server inside your IDE. Every time your AI agent generates code, VibeLint intercepts it before it touches your files — scans it, flags violations, and auto-fixes what it can. You keep shipping fast. The code stays clean.

Risks VibeLint catches for you

Critical

Hard-coded API keys & secrets

OpenAI, Stripe, AWS, Anthropic keys pasted directly into source. One git push and they're public.

Critical

SQL injection

AI loves f-strings in queries: f"SELECT * WHERE id = {id}". Anyone can dump your database.

Critical

Broken password hashing

MD5 and SHA1 for passwords — cracked in seconds. AI generates them constantly because they're short and simple.

Critical

Command injection

os.system() and subprocess with shell=True let attackers execute arbitrary commands on your server.

High

XSS & unsafe DOM writes

innerHTML, document.write(), and dangerouslySetInnerHTML without sanitization. One injected script owns your users.

High

JWT without verification

verify=False or algorithm set to none. Anyone can forge auth tokens and access any account.

High

Path traversal

open(user_input) without validation. Attackers read any file on your server — configs, keys, /etc/passwd.

High

Exposed credentials in auth flows

Hard-coded admin passwords, JWT secrets in source, tokens stored in localStorage. All trivial to exploit.

How it works

1

AI writes code in your IDE

You describe a feature. Your AI generates it.

2

VibeLint intercepts automatically

Before anything hits your files, VibeLint scans it.

3

Violations flagged. Auto-fixed.

Clean, secure code lands in your project.

What it catches

Before
api_key = "sk-live-abc123..."
After
api_key = os.environ.get("API_KEY")
Before
hashed = hashlib.md5(password.encode())
After
hashed = bcrypt.hashpw(
    password.encode(), bcrypt.gensalt()
)
Before
cursor.execute(
    f"SELECT * FROM users WHERE id = {id}"
)
After
cursor.execute(
    "SELECT * FROM users WHERE id = %s", (id,)
)

Works with Python, JavaScript, TypeScript — and 7 more languages via Semgrep.

Set up in 5 minutes

Python 3.8+ required. That's the only dependency.

🤖 Skip the manual steps — paste this to your AI agent

Copy the prompt below and paste it into Cursor, Claude Code, Windsurf, or any MCP-compatible AI agent. It will handle everything.

Copied! Install VibeLint as an MCP server in my IDE. Run these commands: 1. git clone https://github.com/elharrakrachid217-cloud/VibeLint.git 2. cd vibelint 3. pip install -r requirements.txt 4. python install_mcp.py Then restart the IDE so it picks up the new MCP server.
1

Clone and install

Pull the repo and install the Python dependencies.

git clone https://github.com/elharrakrachid217-cloud/VibeLint.git cd vibelint pip install -r requirements.txt
2

Run the auto-installer

This detects your Python path, resolves the server location, and writes the correct config for your IDE — no manual JSON editing needed.

python install_mcp.py

Supports Cursor, Windsurf, and Claude Desktop. To target a specific IDE:

python install_mcp.py --ide cursor python install_mcp.py --ide windsurf python install_mcp.py --ide claude
3

Restart your IDE

Reload the window so it picks up the new MCP server. That's it — VibeLint is now scanning every AI-generated file automatically.

# Optional: verify it's working python server.py # You should see: VibeLint — AI Code Security Scanner
?

Manual setup (if you prefer)

Open your IDE's MCP config and add this. Use full absolute paths for both the Python executable and server.py — do not use cwd.

{ "mcpServers": { "vibelint": { "command": "/absolute/path/to/python", "args": ["/absolute/path/to/vibelint/server.py"] } } }

Config file location depends on your IDE:

Cursor~/.cursor/mcp.json Windsurf~/.codeium/windsurf/mcp_config.json Claude Desktopclaude_desktop_config.json VS Code.vscode/mcp.json

Your code never leaves your machine.

  • No cloud account required
  • No code sent to external servers
  • No subscription to start scanning

Most security tools send your code to their servers to scan it. VibeLint runs entirely on your hardware.

Frequently asked questions

Everything else you might want to know before getting started.

VibeLint scans Python, JavaScript, TypeScript, Go, Java, Ruby, C, C++, PHP, and Kotlin out of the box via Semgrep-powered rules. It focuses on the security patterns that AI models get wrong most often — hard-coded secrets, injection flaws, broken auth — across all of these languages.
It's fully automatic. VibeLint runs as an MCP server inside your IDE. Every time your AI agent generates or modifies code, VibeLint intercepts and scans it before the code is written to your files. You don't need to run any commands or click any buttons — it's always watching in the background.
VibeLint works with any IDE or tool that supports the MCP (Model Context Protocol) standard. Right now that includes Cursor, Windsurf, Claude Desktop, and VS Code. The auto-installer handles configuration for Cursor, Windsurf, and Claude Desktop. For other MCP-compatible editors, you can add the config manually in a few seconds.
Yes. VibeLint is free and open source. There's no subscription, no usage limit, and no account required. Clone the repo, install it, and start scanning. We may offer a premium tier with advanced rules and team features down the road, but the core scanner will always be free.
No. Scans run in milliseconds — they happen inline while your AI agent generates code. There's no separate build step, no waiting for a CI pipeline, and no context switching. The overhead is invisible in practice.
VibeLint is designed for AI-generated code, but you can also run the scanner manually on any file or project by calling python server.py directly. The security rules apply to all code regardless of who wrote it.
Yes. VibeLint ships with a sensible default ruleset, but you can enable, disable, or adjust rules to fit your project. You can also write your own custom Semgrep rules and drop them in. Full documentation is in the repo.
No — and it's not meant to. VibeLint is a first line of defense that catches the most common, most dangerous patterns AI models produce. It dramatically reduces your attack surface, but for production systems you should still conduct thorough security reviews and penetration testing.

Join the early access list

First 50 developers get direct input on the roadmap.

You're in. We'll be in touch.

Contact Support

We usually reply within 24 hours.

Thanks! We'll get back to you soon.