[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78026":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":14,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},78026,"vbsec","tanviet12\u002Fvbsec","tanviet12","A Claude Code skill that performs in-depth security scans and detects 20+ of the most common security vulnerabilities in your source code.",null,"Shell",205,92,132,1,0,2,73,54.21,"MIT License",false,"main",true,[],"2026-06-12 04:01:23","\u003Cdiv align=\"center\">\n\n### 🇻🇳 [Đọc bằng Tiếng Việt → README.vi.md](README.vi.md)\n\n\u003C\u002Fdiv>\n\n---\n\n# vbsec — Source Code Security Scanner\n\nA multi-platform agent skill that performs in-depth security scans and detects 20+ of the most common security vulnerabilities in your source code. Runs natively on **Claude Code**, **OpenAI Codex CLI**, and **Google Antigravity**.\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\n[![Claude Code](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FClaude%20Code-Skill-blue)](https:\u002F\u002Fdocs.claude.com\u002Fclaude-code)\n[![OpenAI Codex](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FOpenAI%20Codex-Skill-black)](https:\u002F\u002Fdevelopers.openai.com\u002Fcodex\u002Fskills)\n[![Google Antigravity](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGoogle%20Antigravity-Skill-orange)](https:\u002F\u002Fantigravity.google\u002Fdocs\u002Fskills)\n\n---\n\n## Introduction\n\nAI-generated code now represents a meaningful share of new commits across the industry. While modern coding assistants excel at producing code that *works*, they routinely ship code with classic security pitfalls: hardcoded secrets, SQL injection, missing access controls, weak password hashing, JWT misuse, and broken CORS configurations. These mistakes rarely surface in functional testing — they surface in incident reports.\n\nvbsec brings production-grade security review into the AI coding loop. It runs as a native agent skill on three platforms — type `\u002Fvbs-scan-security` in Claude Code, `$vbs-scan-security` (or `\u002Fskills`) in OpenAI Codex CLI, or simply ask Google Antigravity to \"scan security\" — and receive a structured report covering 20+ categories of vulnerabilities. There are no external API calls, no separate tool installation, and no additional infrastructure to maintain.\n\nvbsec has been exercised against intentionally vulnerable open-source training apps such as OWASP Juice Shop — and identifies findings that line up with the documented vulnerability challenges across SQL injection, NoSQL injection, JWT misuse, broken access control, mass assignment, deserialization RCE, and more.\n\nGeneric rules apply to every language. Specialized rule overlays exist for Go, PHP, TypeScript\u002FJavaScript, and Python, covering common frameworks: React, Vue, Angular, Express, NestJS, Next.js, Django, Flask, FastAPI, SQLAlchemy, Sequelize, Prisma, and Mongoose. Additional language overlays are on the roadmap.\n\n## Authors\n\n- **Bùi Tấn Việt** — CEO, [SePay](https:\u002F\u002Fsepay.vn) & [123HOST](https:\u002F\u002F123host.vn)\n- **Phan Quốc Hiên** — CTO, [SePay](https:\u002F\u002Fsepay.vn) & [123HOST](https:\u002F\u002F123host.vn)\n\n## How it works\n\nvbsec is engineered around a small set of design choices that distinguish it from conventional pattern scanners.\n\n- **Reasoning-first, not pattern counting.** vbsec does not blindly grep for `eval(` or `query(`. Each potential finding is verified by reading the surrounding code, tracing data flow (L1 untrusted user input through L4 trusted system data), and confirming the data reaches a dangerous sink without sanitization. This eliminates the false-positive flood typical of regex-based scanners.\n\n- **Size-aware routing.** Small scans (≤20 main-language files AND ≤30 total) run inline in 30-60 seconds. Larger scans automatically delegate work to sub-agents that run in parallel — one chunk per top-level folder — and aggregate findings centrally. The user experience is identical; only the execution strategy changes.\n\n- **Sub-agent delegation for large repositories.** For repositories with hundreds of files, vbsec spawns up to three parallel sub-agents through Claude Code's general-purpose agent. Each sub-agent scans a chunk of files independently, and findings are dedupe-aggregated by `(file, line, rule_id)`. This keeps wall-clock time bounded even on monorepos.\n\n- **Language overlay system.** When vbsec detects the primary language, it loads language-specific rule files from `rules\u002Flanguages\u002F\u003Clang>\u002F` that override the generic rules for that language. This catches framework-specific patterns: Mongoose `$where` NoSQL injection, Angular `bypassSecurityTrustHtml`, Sequelize template-literal SQL, JWT algorithm confusion, Gin debug mode in production builds.\n\n- **L1–L4 data flow classification.** Inputs are classified by trust level. A `db.query(\\`SELECT ${x}\\`)` call is only reported as a finding when `x` originates from L1 (user-controlled input) and reaches the SQL sink without parameterization. Constants, environment variables, and trusted-source data do not generate false positives.\n\n- **One finding, one rule.** A line of code that triggers both IDOR and Race Condition produces two findings — never a comma-separated double tag. This keeps counts honest, reports auditable, and the trailing JSON summary machine-parseable.\n\n- **Bilingual reports.** Vietnamese is the default; English is selected with `lang=en`. The JSON summary at the report tail is always canonical English for CI and tooling consumption.\n\n- **Multi-platform.** One canonical rule set, three platform variants. Claude Code uses parallel sub-agents for large scans; Codex and Antigravity use sequential chunking with identical output. A single `sync-skills.sh` script keeps rule definitions in lock-step across all three.\n\n## Multi-platform support\n\nvbsec ships three variants from a single source of truth:\n\n| Platform | Skill folder | Install target | LARGE mode strategy |\n|---|---|---|---|\n| Claude Code | `skills\u002Fvbs-scan-security\u002F` | `~\u002F.claude\u002Fskills\u002Fvbs-scan-security` | Parallel sub-agents (3 concurrent) |\n| OpenAI Codex CLI | `skills\u002Fcodex\u002Fvbs-scan-security\u002F` | `~\u002F.agents\u002Fskills\u002Fvbs-scan-security` | Sequential chunking |\n| Google Antigravity | `skills\u002Fantigravity\u002Fvbs-scan-security\u002F` | `~\u002F.gemini\u002Fantigravity\u002Fskills\u002Fvbs-scan-security` | Sequential chunking |\n\nAll three share the same 21 rules, language overlays, i18n strings, and output format. Findings are identical; only execution strategy differs. Sequential variants are ~3× slower wall-clock than Claude Code's parallel mode on large repositories, but produce the same JSON summary and the same Markdown report.\n\nContributors: edit rules in `skills\u002Fvbs-scan-security\u002F` (the canonical Claude folder), then run `.\u002Fscripts\u002Fsync-skills.sh` to propagate to the Codex and Antigravity variants. Platform-specific files (`SKILL.md`, `workflows\u002Flarge-review*.md`) are hand-maintained.\n\n## Installation\n\nvbsec auto-detects every supported platform you have installed and wires up the skill. Run:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Ftanviet12\u002Fvbsec ~\u002Fvbsec\ncd ~\u002Fvbsec\n.\u002Fscripts\u002Finstall.sh         # auto-detect, install for what's present\n.\u002Fscripts\u002Finstall.sh --all   # force install for all 3 platforms regardless\n```\n\nDetection logic:\n- **Claude Code** — binary `claude` in PATH\n- **OpenAI Codex CLI** — binary `codex` in PATH\n- **Google Antigravity** — app at `\u002FApplications\u002FAntigravity.app` (macOS) OR CLI tool `agy` in PATH (installed via Antigravity IDE menu)\n\nAntigravity is an IDE (like VS Code), not a CLI. For a brand-new Antigravity user, the folder `~\u002F.gemini\u002Fantigravity\u002Fskills\u002F` does not exist by default — the installer creates it for you.\n\nThe installer symlinks the appropriate skill folder into each platform's expected location. To update later:\n\n```bash\ncd ~\u002Fvbsec && git pull\n```\n\n(Symlinks pick up the new version automatically; restart the CLI \u002F IDE if needed.)\n\n**Manual install for a single platform:**\n\n```bash\n# Claude Code\nln -sfn ~\u002Fvbsec\u002Fskills\u002Fvbs-scan-security              ~\u002F.claude\u002Fskills\u002Fvbs-scan-security\n\n# OpenAI Codex CLI\nln -sfn ~\u002Fvbsec\u002Fskills\u002Fcodex\u002Fvbs-scan-security        ~\u002F.agents\u002Fskills\u002Fvbs-scan-security\n\n# Google Antigravity\nln -sfn ~\u002Fvbsec\u002Fskills\u002Fantigravity\u002Fvbs-scan-security  ~\u002F.gemini\u002Fantigravity\u002Fskills\u002Fvbs-scan-security\n```\n\nVerify the install on each platform:\n\n```\nClaude Code:   \u002Fvbs-scan-security\nCodex:         $vbs-scan-security        (or \u002Fskills, then pick)\nAntigravity:   \"scan security cho repo này\"  (auto-trigger by description)\n```\n\nSee [docs\u002Fen\u002Finstallation.md](docs\u002Fen\u002Finstallation.md) for prerequisites, troubleshooting, and update procedures.\n\n## Usage\n\nThe default scope is the entire repository. This is a deliberate change from earlier versions and matches how teams typically request a security audit.\n\n```bash\n\u002Fvbs-scan-security                       # scan entire folder (default)\n\u002Fvbs-scan-security uncommitted           # only scan uncommitted changes\n\u002Fvbs-scan-security pr id 42 lang=en      # scan a PR, report in English\n\u002Fvbs-scan-security commit within 7days   # scan last 7 days of commits\n```\n\n**Works without git.** Vibe coders rarely init `git` before pasting AI-generated code into a folder. The default scope (`\u002Fvbs-scan-security`) walks the filesystem directly when no `.git\u002F` is present — common build\u002Fvendored folders are excluded automatically. Git-specific scopes (`uncommitted`, `staged`, `commit within`, `commit id`, `pr id`) still require a git repository and will print a helpful message asking you to init git or fall back to the default scope.\n\nReports are saved to `vbsec-reports\u002Fscan-\u003Ctimestamp>.md` inside the scanned folder for re-reading, sharing with reviewers, and attaching to remediation tickets.\n\nSee [docs\u002Fen\u002Fusage.md](docs\u002Fen\u002Fusage.md) for all options including `staged`, single-commit scans, and PR scanning via `gh`.\n\n## Vulnerabilities vbsec detects\n\n| # | Rule ID | Severity max | Specialized for |\n|---|---|---|---|\n| 1 | `HARDCODED-SECRET` | CRITICAL | — |\n| 2 | `SQL-INJECTION` | CRITICAL | go, php, typescript |\n| 3 | `XSS` | HIGH | typescript |\n| 4 | `IDOR` | HIGH | — |\n| 5 | `SLOPSQUATTING` | CRITICAL | — |\n| 6 | `BRUTE-FORCE` | HIGH | — |\n| 7 | `MASS-ASSIGNMENT` | CRITICAL | typescript |\n| 8 | `INSECURE-DESERIALIZATION` | CRITICAL | go, php, typescript |\n| 9 | `SSRF` | HIGH | go, typescript |\n| 10 | `PATH-TRAVERSAL` | HIGH | — |\n| 11 | `CSRF` | HIGH | php, typescript |\n| 12 | `BROKEN-ACCESS-CONTROL` | CRITICAL | — |\n| 13 | `WEAK-PASSWORD-HASHING` | CRITICAL | — |\n| 14 | `JWT-NONE-ALGORITHM` | CRITICAL | typescript |\n| 15 | `CORS-MISCONFIG` | HIGH | typescript |\n| 16 | `UNRESTRICTED-FILE-UPLOAD` | CRITICAL | — |\n| 17 | `VERBOSE-ERROR-DEBUG-MODE` | HIGH | go, php, typescript |\n| 18 | `MISSING-RATE-LIMIT` | HIGH | — |\n| 19 | `RACE-CONDITION` | HIGH | — |\n| 20 | `OUTDATED-DEPENDENCY` | HIGH | — |\n| 21 | `COMMAND-INJECTION` | CRITICAL | go, php, typescript |\n\nThe list currently contains 21 rules and will continue to expand.\n\n## Documentation\n\n- [Installation](docs\u002Fen\u002Finstallation.md)\n- [Usage](docs\u002Fen\u002Fusage.md)\n- [Full rule catalog](docs\u002Fen\u002Frules.md)\n- [Contributing](docs\u002Fen\u002Fcontributing.md)\n\n## Roadmap\n\n- v0.1 — Generic rule set + Go + PHP specialization + bilingual output ✅\n- v0.2 — TypeScript\u002FJavaScript specialization (Sequelize\u002FPrisma\u002FMongoose, React\u002FVue\u002FAngular, Express\u002FNestJS\u002FNext.js) ✅\n- v0.3 — Default scope changed to full-repo, persistent reports, verbose per-finding explanations ✅\n- v0.4 — Python specialization (SQLAlchemy\u002FDjango ORM SQLi, pickle\u002Fyaml deserialization RCE, Werkzeug debugger, FastAPI\u002FFlask\u002FDjango CSRF + CORS, PyJWT algorithms, subprocess shell=True) ✅\n- v0.5 (current) — Multi-platform support: OpenAI Codex CLI + Google Antigravity (sequential LARGE mode, shared rule set, `install.sh` + `sync-skills.sh`) ✅\n- v0.6+ — Ruby, Java, Rust — community-driven\n\n## Disclaimer\n\nvbsec is a reference scanner. It catches common AI-generated code mistakes, but:\n\n- It does NOT replace a professional security audit\n- It does NOT guarantee 100% vulnerability coverage\n- It does NOT fetch live CVE databases (run `npm audit` \u002F `pip-audit` \u002F `govulncheck` separately for that)\n\nUse vbsec as a **first line of defense**, not as proof of security.\n\n## License & Acknowledgments\n\nReleased under the [MIT License](LICENSE).\n\nBuilt on the security expertise of [SePay](https:\u002F\u002Fsepay.vn) and [123HOST](https:\u002F\u002F123host.vn) — two Vietnamese fintech and hosting companies that operate production systems under real-world threat conditions.\n\n© 2026 Bùi Tấn Việt & Phan Quốc Hiên.\n","vbsec 是一个源代码安全扫描工具，能够深入检测并识别出代码中超过20种常见的安全漏洞。其核心功能包括跨平台支持（如Claude Code、OpenAI Codex CLI和Google Antigravity）以及无需额外安装或维护的原生技能运行方式。技术特点上，vbsec 采用推理优先的方法而非简单的模式匹配来验证潜在的安全问题，确保了更高的准确性。适用于需要在开发过程中集成高质量安全审查的场景，特别是对于使用AI生成代码的情况，可以帮助开发者避免诸如硬编码密钥、SQL注入等常见安全陷阱。","2026-06-11 03:56:21","CREATED_QUERY"]