Quantum Bases
Open-Source Security Initiative

Secure Your Code at the Speed of Vibe

Get the Quantum Bases Vibe Coding Security Scanner. Install it as a custom skill inside your favorite agentic interfaces to automatically intercept BOLA, SQL Injection, and 12 other AI-generated vulnerabilities before they hit git.

Download Free Script DirectlyView Setup Guide ↓

From the Quantum Bases Team with Love

Vibe coding makes shipping fast incredibly fun. But security shouldn't be the bottleneck. We built this scanner to provide every developer with basic security guardrails for free. It is our team's humble effort to promote secure, resilient coding practices for everyone.

πŸš€ Zero-Install Quick Start (1-Click Run)

Get your codebase audited in under 3 seconds with absolute minimum effort. You can either copy-paste the immediate scan command below, or download the scanner script to run locally.

Method A: Run Immediately in Terminal (Zero Configuration)

Paste this one-line execution command into your terminal at your project root. It securely fetches the scanner tool in memory, audits all project files, prints severity warnings, and cleans up instantly.

Copy & Paste into your project root
curl -s https://quantumbases.com/assets/scripts/vibe-audit-tool.js | node

Method B: Download Script & Run Anywhere

Prefer a local file? Click the primary download button below to grab the script. Save it as vibe-audit-tool.js in your project, and invoke it with node anytime you want:

Download Scanner Script (1-Click)No NPM packages, no credentials, 100% local scanning.

Integrate as an IDE Custom Skill / Custom Rule

Configure your development agents (Antigravity, Claude Code, or Claude Web) to automatically run this security audit before completing edits:

Antigravity IDE Integration

Enable automatic security scans in your workspace using Antigravity custom rules.

1. Save the tool in your workspace

Antigravity IDE Integration β€” Step 1
mkdir -p .github/scripts && curl -o .github/scripts/vibe-audit.js https://quantumbases.com/assets/scripts/vibe-audit-tool.js
chmod +x .github/scripts/vibe-audit.js

2. Enforce validation via .antigravityrules

Antigravity IDE Integration β€” Step 2
# Security Constraint Rules
- Before completing any backend file edits or database tasks, you MUST run: `node .github/scripts/vibe-audit.js`
- Review scan results, analyze any Critical or High warnings, and refactor the code to fix security issues before declaring the task done.

Active Scans (21 Rules)

The skill runs regex validations to parse AST configurations and detect typical LLM code short-circuiting:

QB-SQL-INJECTIONRaw SQL query string interpolations
QB-NOSQL-INJECTIONMongoDB $where / NoSQL injection
QB-MASS-ASSIGNLax parameter mappings directly to ORMs
QB-BOLA-QUERYLacking tenant verification scopes
QB-HARDCODED-KEYSHardcoded API keys / mock secrets
QB-JWT-NO-VERIFYUnverified jwt.decode() payload reads
QB-XSS-DANGERInsecure innerHTML DOM injection calls
QB-SSRF-AGENTHost-unverified requests via dynamic URLs
QB-CORS-WILDCARDPermissive CORS configurations
QB-PATH-TRAVERSALConcatenated client file paths
QB-WEAK-CRYPTOInsecure hashing (md5 / sha1)
QB-CRITICAL-EVALeval() & unescaped child process runs
QB-UNSAFE-DESERIALIZEArbitrary unserialize function calls
QB-PROTOTYPE-POLLUTIONProperties map bypasses for __proto__
QB-SENSITIVE-LOGGINGLeaking user credentials to log outputs
QB-OPEN-REDIRECTUser-controlled redirect destinations
QB-INSECURE-COOKIECookies without Secure / HttpOnly flags
QB-MISSING-AUTHExpress routes missing auth middleware
QB-REGEX-REDOSCatastrophic backtracking regex (ReDoS)
QB-ENV-DISCLOSUREprocess.env dumped in API responses
QB-SUPPLY-CHAIN-EXFILSensitive file access & exfiltration risk

Production Readiness Check?

Automated regex scanning is the first line of defense. Logical leaks, access overrides, and business context threats require human intuition.

Book an Expert Manual Audit