safeboundai/vibe-scanner — explained in plain English
Analysis updated 2026-05-18
Scan a company domain to discover apps employees built without IT review.
Check discovered apps for missing login protection or exposed API keys.
Detect a known Supabase misconfiguration that leaks database access.
View streaming scan results in a local browser dashboard.
| safeboundai/vibe-scanner | mfranzon/render | aref-vc/tufte-claude-skill | |
|---|---|---|---|
| Stars | 110 | 107 | 102 |
| Language | HTML | HTML | HTML |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 1/5 |
| Audience | developer | vibe coder | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a Serper API key, Docker is the simplest way to run it.
Vibe-scanner is a security tool designed to help enterprise security teams find unauthorized internal apps that employees have built and deployed on their own, without going through IT review. These are sometimes called shadow IT: tools someone built on a platform like Lovable, Replit, Netlify, Vercel, Hugging Face, or Cloudflare Pages and deployed quietly, often to solve a real business problem, but without any security review. The README explicitly states it is built for authorized testing against your own organization. Given a company domain name, the tool works in three phases. First, it crawls the target domain and uses a named-entity recognition model to extract product names, brand names, and organization names beyond just the main domain. It uses these names to build search queries, then runs those queries against search engines using the Serper API to find apps hosted on the supported platforms that appear to be connected to the organization. It filters results by relevance scoring and removes obvious false positives like template demos or test projects. Once it has a list of candidate apps, it probes each one. It checks whether the app requires a login, whether it exposes a login form with no other authentication, or whether it is completely open. It scans the page source for hardcoded API keys or passwords. It also checks for a specific Supabase misconfiguration tracked as CVE-2025-48757, where a database has row-level security disabled and its anonymous access key is embedded in the frontend, allowing anyone to read database tables without credentials. Sensitive data patterns in responses are also flagged. Results stream out as structured JSON events in the terminal, and the tool includes a small browser dashboard that shows results in a terminal-style interface served over localhost. Running it requires a Serper API key for the search queries. Docker is the simplest setup path: build the image and run it with your environment file. An OpenAI key can optionally be added to generate plain-English risk summaries for each finding, but the tool works without it using its built-in rules engine.
A security scanning tool that finds unauthorized apps employees quietly deployed on platforms like Lovable, Replit, or Vercel, then checks each one for common security holes.
Mainly HTML. The stack also includes HTML, Docker, Serper API.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.