SecureVibes: Revolutionizing Code Security with AI-Powered Multi-Agent Scanning
In the rapidly evolving landscape of software development, the integration of artificial intelligence (AI) has led to the emergence of vibecoding, a practice where developers utilize AI to expedite application creation. While this innovation accelerates development, it also introduces significant security challenges. Addressing these concerns, developer Anshuman Bhartiya has introduced SecureVibes, an open-source tool designed to automate vulnerability detection across diverse codebases.
Introduction to SecureVibes
Launched in October 2025, SecureVibes is a Python-based scanner that harnesses Anthropic’s Claude AI through a sophisticated multi-agent system. This design emulates the collaborative efforts of a human security team, making professional-grade security analysis accessible to developers without requiring extensive expertise.
The Multi-Agent Framework
SecureVibes operates through five specialized AI agents, each fulfilling a distinct role in the security assessment process:
1. Assessment Agent: This agent analyzes the codebase architecture, generating a `SECURITY.md` file that outlines critical details such as data flows and dependencies.
2. Threat Modeling Agent: Utilizing the STRIDE methodology, this agent identifies potential threats and produces a `THREAT_MODEL.json` file, providing a structured overview of possible security risks.
3. Code Review Agent: This agent conducts a thorough examination of the code, cross-referencing identified threats to validate issues. It compiles its findings into a `VULNERABILITIES.json` file, detailing specifics like file paths and line numbers.
4. DAST Agent (Optional): For dynamic analysis, this agent performs testing on a running application via a specified URL, enhancing the assessment with exploitability checks through Claude Agent Skills.
5. Report Generator: This component consolidates all findings into actionable reports, available in formats such as Markdown or JSON, facilitating easy interpretation and remediation.
Language Support and Project Compatibility
SecureVibes boasts support for 11 programming languages, including Python, JavaScript, TypeScript, Go, and more. It intelligently detects project types and excludes irrelevant directories to streamline the scanning process. For instance:
– Python: Recognizes `.py` files and excludes directories like `venv/`, `env/`, `.venv/`, `__pycache__/`, `.pytest_cache/`, `.tox/`, `.eggs/`, and `.egg-info/`.
– JavaScript: Identifies `.js` and `.jsx` files, excluding `node_modules/`, `.npm/`, and `.yarn/` directories.
– TypeScript: Detects `.ts` and `.tsx` files, excluding `node_modules/`, `.npm/`, `.yarn/`, `dist/`, and `build/` directories.
– Go: Recognizes `.go` files and excludes `vendor/`, `bin/`, and `pkg/` directories.
– Ruby: Identifies `.rb` files, excluding `vendor/`, `.bundle/`, and `tmp/` directories.
– Java: Detects `.java` files, excluding `target/`, `build/`, `.gradle/`, and `.m2/` directories.
– PHP: Recognizes `.php` files and excludes `vendor/` and `.composer/` directories.
– C#: Identifies `.cs` files, excluding `bin/`, `obj/`, and `packages/` directories.
– Rust: Detects `.rs` files and excludes the `target/` directory.
– Kotlin: Recognizes `.kt` files, excluding `build/` and `.gradle/` directories.
– Swift: Identifies `.swift` files, excluding `.build/`, `.swiftpm/`, and `Packages/` directories.
This comprehensive support ensures that SecureVibes can handle mixed-language projects seamlessly, providing thorough scans regardless of the project’s complexity.
Installation and Usage
Installing SecureVibes is straightforward. Developers can install the stable release via pip:
“`
pip install securevibes
“`
Alternatively, for access to the latest features, they can clone the GitHub repository. Authentication is achieved through Claude’s Command Line Interface (CLI) session or an API key. To initiate a full analysis, users can execute:
“`
securevibes scan .
“`
The tool offers options for verbosity, severity filters, and selective agent runs to optimize costs and focus on specific areas of concern.
Performance and Effectiveness
In self-assessments, SecureVibes demonstrated remarkable efficacy. It identified 16-17 vulnerabilities within its own codebase, quadrupling the findings of single-agent AI tools like Claude Code. Traditional rules-based scanners, such as Semgrep or Bandit, detected no issues in the same codebase. This context-aware approach significantly reduces false positives by requiring concrete evidence for each identified vulnerability.
Cost Considerations
Operating costs for SecureVibes are reasonable. Utilizing the Sonnet model, a comprehensive scan costs approximately $2-3. For more in-depth analysis, the Opus model is available at a higher price point, offering deeper insights for critical applications.
Privacy and Security Measures
SecureVibes prioritizes user privacy. Only code and relative paths are transmitted to Anthropic, ensuring that secrets or absolute paths remain confidential. Developers are encouraged to review Anthropic’s privacy policy before scanning sensitive codebases. Additionally, SecureVibes offers a Python API, facilitating integration into Continuous Integration/Continuous Deployment (CI/CD) pipelines for automated security checks.
Open-Source Availability and Community Engagement
Released under the AGPL license, SecureVibes is accessible on GitHub, inviting contributions and collaboration from the developer community. Recent enhancements include dynamic application security testing (DAST) validation and advanced testing skills, reflecting the tool’s ongoing evolution.
Conclusion
As the practice of vibecoding continues to gain traction, tools like SecureVibes play a pivotal role in bridging the security gap inherent in AI-driven development. By automating comprehensive vulnerability assessments, SecureVibes empowers developers to deliver safer applications more efficiently, aligning with the industry’s growing emphasis on secure coding practices.
