In the fast-paced world of “vibecoding,” where developers use AI to build applications rapidly, a new open-source tool is stepping up to tackle security risks.
SecureVibes, created by developer Anshuman Bhartiya, leverages Anthropic’s Claude AI via a multi-agent system to automatically detect vulnerabilities in codebases.
Released in October 2025, this Python-based scanner aims to make professional-grade security analysis accessible without needing deep expertise.
At its core, SecureVibes employs five specialized AI agents that collaborate like a human security team.
The Assessment Agent maps the codebase architecture, creating a SECURITY.md file with key details such as data flows and dependencies.
Next, the Threat Modeling Agent applies STRIDE methodology to identify potential threats, outputting a THREAT_MODEL.json file.
The Code Review Agent then scrutinizes the code against these threats, validating issues and generating the VULNERABILITIES.json file with details such as file paths and line numbers.
An optional DAST Agent performs dynamic testing on a running app via a target URL, adding exploitability checks through Claude Agent Skills.
Finally, the Report Generator compiles everything into actionable reports in formats like Markdown or JSON.
Supporting 11 languages, including Python, JavaScript, TypeScript, Go, and more, SecureVibes smartly detects project types and excludes irrelevant directories, such as venv/ for Python or node_modules/ for JS.
| Language | Extensions | Auto-Excluded Directories |
|---|---|---|
| Python | .py | venv/, env/, .venv/, pycache/, .pytest_cache/, .tox/, .eggs/, *.egg-info/ |
| JavaScript | .js, .jsx | node_modules/, .npm/, .yarn/ |
| TypeScript | .ts, .tsx | node_modules/, .npm/, .yarn/, dist/, build/ |
| Go | .go | vendor/, bin/, pkg/ |
| Ruby | .rb | vendor/, .bundle/, tmp/ |
| Java | .java | target/, build/, .gradle/, .m2/ |
| PHP | .php | vendor/, .composer/ |
| C# | .cs | bin/, obj/, packages/ |
| Rust | .rs | target/ |
| Kotlin | .kt | build/, .gradle/ |
| Swift | .swift | .build/, .swiftpm/, Packages/ |
It handles mixed-language projects seamlessly, ensuring thorough scans. Installation is straightforward: pip install securevibes for the stable release, or clone the GitHub repo for the latest features.
Users authenticate via Claude’s CLI session or API key, then run “securevibes scan” for a complete analysis, with options for verbosity, severity filters, or sub-agent runs to cut costs.
What sets SecureVibes apart from traditional SAST tools like Semgrep or Bandit? In self-tests, it uncovered 16-17 vulnerabilities in its own codebase, four times as many as single-agent AI like Claude Code, while rules-based scanners found zero.
This progressive, context-aware approach reduces false positives by requiring concrete evidence for each issue.
Costs are reasonable, around $2-3 per scan with the Sonnet model, but Opus offers deeper analysis at a premium.
Privacy is prioritized: Only code and relative paths are sent to Anthropic, with no secrets or absolute paths shared.
Bhartiya encourages reviewing Anthropic’s policy before scanning sensitive code. A Python API enables integration into CI/CD pipelines for automated checks.
Available on GitHub under the AGPL license, SecureVibes is evolving with recent additions, including DAST validation and advanced testing capabilities.
As vibecoding grows, tools like this could bridge the security gap in AI-driven development, helping devs ship safer apps faster.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1068,580&ssl=1&description=SecureVibes, created by developer Anshuman Bhartiya, leverages Anthropic's Claude AI via a multi-agent system to automatically detect vulnerabilities in codebases.){kind=link}