UNPKG

vibesec

Version:

Security scanner for AI-generated code - detects vulnerabilities in vibe-coded projects

github.com/ferg-cod3s/vibesec-bun-poc

ferg-cod3s/vibesec-bun-poc

126 lines (113 loc) 5.02 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Incomplete Security Implementation Rules # These rules detect TODO/FIXME comments and placeholder code in security-sensitive areas # AI-generated code often includes placeholders that should never reach production rules: - id: security-todo severity: high category: incomplete name: Security TODO/FIXME Found description: TODO or FIXME comment in security-critical code patterns: - "(?:TODO|FIXME).*(?:auth|password|credential|secret|token|session|security|encrypt|decrypt|hash)" - "(?:auth|password|credential|secret|token|session|security|encrypt|decrypt|hash).*(?:TODO|FIXME)" - "//\\s*TODO.*(?:security|auth|password|validate)" - "#\\s*TODO.*(?:security|auth|password|validate)" risk: Incomplete security implementations leave systems vulnerable. TODOs in security code indicate unfinished protection mechanisms that attackers can exploit fix: | Complete all security implementations before deploying to production Before: // TODO: Add password validation function login(password) { ... } After: function login(password) { if (!validatePassword(password)) { throw new Error('Invalid password'); } ... } references: - https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ cwe: CWE-489 owasp: OWASP A4:2021 - id: commented-security-check severity: critical category: incomplete name: Commented Out Security Check description: Security validation code has been commented out patterns: - "(?://|#)\\s*(?:if|assert).*(?:auth|password|permission|role|token|validate)" - "/\\*.*(?:authenticate|authorize|validate|check).*\\*/" - "(?://|#)\\s*validate.*(?:input|user|password|token)" - "(?://|#)\\s*(?:check|verify).*(?:permission|role|auth)" risk: Commented-out security checks disable critical protections, allowing unauthorized access or malicious input to pass through unchecked fix: | Re-enable all security checks. Never comment out validation or authentication logic Before: // if (!user.hasPermission('admin')) { return forbidden(); } dangerousAction(); After: if (!user.hasPermission('admin')) { return forbidden(); } dangerousAction(); references: - https://cwe.mitre.org/data/definitions/489.html cwe: CWE-489 owasp: OWASP A4:2021 - id: placeholder-credentials severity: critical category: incomplete name: Placeholder Credentials Detected description: Placeholder or example credentials found in code patterns: - "(?:password|secret|key)\\s*=\\s*[\"'](?:example|placeholder|changeme|test123|temp|CHANGE_ME)[\"']" - "(?:API_KEY|SECRET|PASSWORD)\\s*=\\s*[\"'](?:your|my|placeholder|xxx)[-_]?(?:key|secret|password|token)[\"']" - "(?:username|user)\\s*=\\s*[\"'](?:admin|test|placeholder)[\"'].*password.*[\"'](?:admin|test|123)[\"']" - "[\"'](?:PUT|ENTER|INSERT)[-_]?(?:YOUR|API|SECRET|KEY)[\"']" risk: Placeholder credentials in code may be forgotten and deployed to production, creating easily exploitable backdoors fix: | Replace all placeholder credentials with environment variables Before: const apiKey = "YOUR_API_KEY_HERE"; const password = "changeme"; After: const apiKey = process.env.API_KEY; if (!apiKey) { throw new Error('API_KEY environment variable is required'); } references: - https://cwe.mitre.org/data/definitions/798.html - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html cwe: CWE-798 owasp: OWASP A3:2017 - id: incomplete-error-handling severity: high category: incomplete name: Incomplete Error Handling in Security Context description: Try-catch block in security code with empty or minimal error handling patterns: - "try\\s*\\{[^}]*(?:auth|password|credential|decrypt|verify)[^}]*\\}\\s*catch[^{]*\\{\\s*(?://.*)?\\s*\\}" - "except.*:\\s*(?:#.*)?\\s*pass\\s*$" - "catch\\s*\\([^)]*\\)\\s*\\{\\s*(?://.*)?\\s*console\\.log" - "except.*Exception.*:\\s*(?:#.*)?\\s*print" risk: Empty or insufficient error handling in security code may hide failures, leading to bypassed authentication or exposed sensitive data fix: | Implement proper error handling with secure fallback behavior Before: try { await authenticate(token); } catch (e) { // TODO: handle error } After: try { await authenticate(token); } catch (e) { logger.error('Authentication failed', { error: e.message }); return res.status(401).json({ error: 'Unauthorized' }); } references: - https://owasp.org/www-community/Improper_Error_Handling - https://cwe.mitre.org/data/definitions/755.html cwe: CWE-755 owasp: OWASP A4:2021