Ybe Check 🛡️
Production-readiness security gatekeeper for vibe-coded apps.
16 scan modules · AI remediation · MCP server · VS Code + Copilot integration · Bento dashboard
🚀 Overview
In the age of AI-assisted development, code is generated faster than it can be audited. Ybe Check bridges this gap with an automated, multi-layered scanning suite that covers everything from static analysis to dynamic live probing — all integrated into your editor with AI-powered remediation.
✨ Key Features
- 16 Scan Modules — Secrets, Prompt Injection, PII, Dependencies, Auth Guards, IaC, License, AI Traceability, Test Coverage, Container Scan, SBOM, Config, Load Testing, Web Attacks, API Fuzzing, Live Prompt Testing
- MCP Server — 7 tools + 3 prompt templates for AI coding assistants (Copilot, Cursor, Claude)
- VS Code Extension — Auto-installs MCP, 13 commands, bento grid webview dashboard
- Copilot Integration — High-quality security prompts with CWE references and severity icons
- AI Remediation — Blackbox AI → Gemini → static fallback chain
- Bento Dashboard — Aurora hero, persona cards, module bars, findings drill-down
🛠️ Scan Modules (16 Pillars)
Static Analysis
| Module |
Tool |
What it scans |
| Secrets Detection |
detect-secrets |
Leaked keys, tokens, passwords |
| Prompt Injection |
vigil |
Prompt-based vulnerabilities |
| PII & Logging |
Regex + AST |
PII leaks in logs, missing PRIVACY.md |
| Auth Guards |
AST parsing |
Unprotected API routes |
| AI Traceability |
Pattern matching |
"Generated by" AI markers |
| Test & Coverage |
Coverage.py |
Test coverage gaps |
Dynamic Analysis
| Module |
Tool |
What it scans |
| Web Attacks |
OWASP ZAP |
XSS, SQLi, CSRF vulnerabilities |
| API Fuzzing |
ffuf |
Endpoint discovery, stress testing |
| Load Testing |
Artillery |
Performance under load |
| Live Prompt Testing |
Vigil |
LLM endpoint interaction testing |
Infrastructure & Compliance
| Module |
Tool |
What it scans |
| Dependencies |
pip-audit |
Insecure package versions |
| IaC Security |
Checkov |
Terraform/K8s misconfigurations |
| License Compliance |
FOSSA |
License risk assessment |
| Container Scan |
Trivy |
Docker image vulnerabilities |
| SBOM |
Syft |
Software Bill of Materials |
| Config & Env |
Custom |
.env validation, config drift |
💻 Quick Start
Install
pip install ybe-check
One-Command Setup
ybe-check init
This installs the VS Code extension, configures MCP, runs a scan, and launches the dashboard.
Or step by step:
# Scan your repo
ybe-check scan .
# View findings
ybe-check report
# Launch the dashboard
ybe-check dashboard
🔌 VS Code Extension
The extension activates on startup and:
- Auto-installs the
ybe-check Python package if missing
- Writes MCP config to
.vscode/mcp.json and .cursor/mcp.json
- Provides 13 commands via Command Palette (Ctrl/Cmd+Shift+P):
| Command |
What it does |
Ybe Check: Full Audit |
Run all 16 modules |
Ybe Check: Static Scan |
Run static modules only |
Ybe Check: Security Audit |
Send full report to Copilot |
Ybe Check: Fix Finding with Copilot |
Fix a specific finding |
Ybe Check: Explain Finding |
Educational breakdown |
Ybe Check: Review Current File |
Security review of active file |
Ybe Check: Fix All Critical |
Batch fix critical/high issues |
Ybe Check: Fix Current File |
Fix all issues in active file |
Ybe Check: Secure Implementation |
Best-practice code helper |
Ybe Check: Browse by Severity |
Filter and pick findings |
Ybe Check: Open Dashboard |
Launch full localhost dashboard |
Ybe Check: Install MCP |
Manual MCP install |
Ybe Check: Ask Copilot |
Chat with security context |
🤖 MCP Server
7 tools for AI coding assistants:
| Tool |
Description |
ybe.scan_repo |
Run a full security scan |
ybe.list_findings |
List/filter findings |
ybe.get_remediation |
Get AI fix for a finding |
ybe.get_security_context |
Workspace security summary |
ybe.enhance_prompt |
Add security context to any prompt |
ybe.get_fix_prompt |
Ready-to-use fix prompt |
ybe.get_review_prompt |
File review prompt |
3 prompt templates: security-audit, fix-critical, review-file
📊 Dashboard
Launch with ybe-check dashboard — opens at http://127.0.0.1:7474
- Aurora gradient hero with animated score
- Security persona (Champion / Cautious Builder / Risk Taker)
- Module scores with progress bars
- Verdict card with health visualization
- Paginated findings table with "Get Fix" buttons
- AI remediation modal with step-by-step guidance
- Chat sidebar with AI assistant
📄 License
Apache License 2.0 — see LICENSE for details.
| |
