explaingit

safeboundai/vibe-scanner

Analysis updated 2026-05-18

110HTMLAudience · developerComplexity · 3/5Setup · moderate

TLDR

A security scanning tool that finds unauthorized apps employees quietly deployed on platforms like Lovable, Replit, or Vercel, then checks each one for common security holes.

Mindmap

mindmap
  root((repo))
    What it does
      Finds shadow IT apps
      Probes each app
      Flags risks
    Tech stack
      HTML
      Serper API
    Use cases
      Discover unknown apps
      Check for open logins
      Catch leaked API keys
    Audience
      Security teams
    Setup
      Docker
      Serper API key

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a company domain to discover apps employees built without IT review.

USE CASE 2

Check discovered apps for missing login protection or exposed API keys.

USE CASE 3

Detect a known Supabase misconfiguration that leaks database access.

USE CASE 4

View streaming scan results in a local browser dashboard.

What is it built with?

HTMLDockerSerper API

How does it compare?

safeboundai/vibe-scannermfranzon/renderaref-vc/tufte-claude-skill
Stars110107102
LanguageHTMLHTMLHTML
Setup difficultymoderateeasyeasy
Complexity3/52/51/5
Audiencedevelopervibe coderdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires a Serper API key, Docker is the simplest way to run it.

In plain English

Vibe-scanner is a security tool designed to help enterprise security teams find unauthorized internal apps that employees have built and deployed on their own, without going through IT review. These are sometimes called shadow IT: tools someone built on a platform like Lovable, Replit, Netlify, Vercel, Hugging Face, or Cloudflare Pages and deployed quietly, often to solve a real business problem, but without any security review. The README explicitly states it is built for authorized testing against your own organization. Given a company domain name, the tool works in three phases. First, it crawls the target domain and uses a named-entity recognition model to extract product names, brand names, and organization names beyond just the main domain. It uses these names to build search queries, then runs those queries against search engines using the Serper API to find apps hosted on the supported platforms that appear to be connected to the organization. It filters results by relevance scoring and removes obvious false positives like template demos or test projects. Once it has a list of candidate apps, it probes each one. It checks whether the app requires a login, whether it exposes a login form with no other authentication, or whether it is completely open. It scans the page source for hardcoded API keys or passwords. It also checks for a specific Supabase misconfiguration tracked as CVE-2025-48757, where a database has row-level security disabled and its anonymous access key is embedded in the frontend, allowing anyone to read database tables without credentials. Sensitive data patterns in responses are also flagged. Results stream out as structured JSON events in the terminal, and the tool includes a small browser dashboard that shows results in a terminal-style interface served over localhost. Running it requires a Serper API key for the search queries. Docker is the simplest setup path: build the image and run it with your environment file. An OpenAI key can optionally be added to generate plain-English risk summaries for each finding, but the tool works without it using its built-in rules engine.

Copy-paste prompts

Prompt 1
Explain the three phases this tool uses to find shadow IT apps for a given domain.
Prompt 2
Help me set up this tool with Docker and a Serper API key.
Prompt 3
What does the CVE-2025-48757 Supabase check in this repo actually detect?
Prompt 4
Show me how to add an OpenAI key so findings get plain-English risk summaries.

Frequently asked questions

What is vibe-scanner?

A security scanning tool that finds unauthorized apps employees quietly deployed on platforms like Lovable, Replit, or Vercel, then checks each one for common security holes.

What language is vibe-scanner written in?

Mainly HTML. The stack also includes HTML, Docker, Serper API.

How hard is vibe-scanner to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is vibe-scanner for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.