Documentation

Quick Start

VibeShield works in three steps: create a project, run a scan, review findings. Most teams start with a URL scan and add source code scans for deeper static analysis coverage.

1. Create a project

Go to Dashboard then New Project. Give it a name and optional target URL. Projects group scans, findings, and trend history.

2. Run a scan

Click + New Scan inside a project. Choose URL Scan for live black-box analysis or Source Code Scan for static analysis of a ZIP archive or Git repo. Scans run asynchronously — you will be notified on completion.

3. Review findings, get AI fix suggestions, re-test

Open findings by severity. Claude AI generates a scan summary and can produce targeted fix suggestions for individual findings. Mark fixed issues, run another scan, and confirm remediation.

If anything is unclear, visit Support.

Accounts & Access

All protected API operations are tied to authenticated users. Project data and scan results are scoped per account.

Registration & email verification

Accounts are created at /register. If the platform administrator has enabled email verification, a verification link is sent to your inbox before you can log in. Click the link to activate your account. If you do not receive it, check spam or use the resend option on the login screen.

Authentication methods

• Email + password — standard credential login at /login
• Google SSO — one-click sign-in with your Google account (when enabled by the admin)
• API key — for CI/CD and automation; generated at API Keys (starts with vs_)

Security hygiene

• Do not commit tokens, API keys, cookies, or webhook URLs to repositories.
• Do not post real credentials in screenshots, tickets, chat logs, or docs.
• Rotate API keys immediately if exposure is suspected.

Google SSO

When Google SSO is enabled by the platform administrator, a Sign in with Google button appears on the login and register pages. Clicking it redirects you through Google OAuth2 and back into the dashboard — no password required.

SSO accounts are linked by email address. If you already have a password account with the same email, the Google login merges into that account automatically.

Google SSO availability depends on platform configuration. Contact support if you need it enabled for your account.

Organizations & Teams

Organizations let multiple users collaborate on shared projects. Each organization has a name and a URL slug. Members have one of three roles:

Managing your organization

Go to Organization to create an org, invite members by email, change member roles, or remove members. Only owners can change other owners' roles.

URL Scan

A URL scan runs black-box checks against a live target. Typical runtime is 1–3 minutes depending on target response speed and enabled checks.

Authenticated scanning

Provide a login URL, username, and password to test post-login pages and session behavior. This surfaces issues only visible to authenticated users, such as IDOR, privilege escalation, and session fixation.

Scan intensity

Standard — default safe mode for routine checks. Suitable for production targets.

Thorough — deeper endpoint probing and more traffic. Use on staging environments where possible.

GraphQL introspection check

URL scans detect exposed GraphQL introspection endpoints, which leak schema structure and can accelerate targeted attacks.

Custom scan headers

Add arbitrary HTTP headers to all scan requests via Scan Profiles. Useful for internal services that require custom auth tokens or tenant identifiers.

If a domain is blocked but should be allowed, request review via Support.

Source Code Scan

Upload a ZIP archive or provide a Git repository URL. VibeShield performs static analysis for secrets, risky code patterns, vulnerable dependencies, and infrastructure misconfigurations.

Detected issues include:

• Hardcoded API keys, tokens, and credentials
• Unsafe DOM sinks and eval-style execution paths
• Weak JWT handling and insecure auth patterns
• Frontend-only authorization logic
• SQL injection indicators and dangerous string concatenation
• Known vulnerabilities in dependencies (OSV database)
• IaC misconfigurations in Terraform, CloudFormation, Kubernetes YAML
• Hardcoded secrets and permission issues in Dockerfiles
• Insecure permissions and exposed endpoints in Android APKs

Source scans require a Pro account.

Scan Profiles

Scan profiles are reusable scan configurations. Instead of reconfiguring scan options each time, create a profile once and select it when starting a new scan.

What a profile controls

• Disabled check categories — skip entire check groups (e.g. headers, TLS, cookies) that are not relevant to your target
• Minimum severity — suppress findings below a threshold (e.g. ignore Informational findings)
• Custom headers — key/value pairs appended to every request made during the scan

Manage profiles at Scan Profiles.

Scan Lifecycle

Scan states help you automate and monitor progress:

• queued — waiting for worker capacity
• running — checks are currently executing
• completed — report and findings ready
• failed — interrupted by a runtime or validation issue

Poll scan status with GET /api/scans/{id}/status or fetch the full report via GET /api/scans/{id}/report.json.

Understanding Findings

Every finding includes title, severity, category, evidence, OWASP/PCI/GDPR compliance tags (where applicable), remediation guidance, and optionally an AI-generated fix suggestion.

Finding statuses

• Open — unresolved, requires attention
• Fixed — resolved and confirmed by a re-scan
• Accepted Risk — known and accepted by the team
• False Positive — confirmed not exploitable in this context

Comments

Use team comments on findings to document triage decisions, link pull requests, and coordinate remediation. Comments are scoped to the finding and visible to all team members.

AI fix suggestions

On any finding detail page, click Generate with Claude AI to request a targeted remediation suggestion. The suggestion is generated asynchronously by Claude and appears within seconds. See AI Features for details.

Severity Levels

The risk score is the sum of weighted open findings, capped at 100. Fixing findings reduces the score in the next scan.

Compliance Mapping

VibeShield maps findings to three compliance frameworks. Tags appear as colored pills on finding detail pages and in exported reports.

Compliance tags are generated automatically by Claude AI during scan processing. They appear in exports and the API response under the compliance_tags field on each finding.

AI Features

VibeShield integrates Claude AI (Anthropic) to reduce manual analysis time and accelerate remediation.

Scan summary

After every scan completes, Claude generates a concise natural-language summary of the findings — what was found, the overall risk posture, and the top priorities. The summary appears at the top of the scan report in a blue panel.

AI fix suggestions

On any finding detail page, click Generate with Claude AI. Claude reads the finding title, description, evidence, and affected code or endpoint, then generates a concrete remediation recommendation. Results are cached — generating twice returns the same suggestion instantly.

Weekly executive summary email

Pro users can opt in to a weekly email (sent every Monday at 08:00) that summarizes security posture across all projects: total open findings by severity, risk score trends, newly discovered vs. resolved issues, and AI-generated recommendations for the week. Enable it in Notification Settings.

Compliance tagging

Claude automatically assigns OWASP, PCI-DSS, and GDPR compliance tags to each finding based on its category and evidence. See Compliance Mapping.

Export & Reports

Every completed scan can be exported in multiple formats. Use the Export button on the scan report page.

Shared Reports

Generate a read-only shareable link for any completed scan report. The link gives recipients full access to the findings without requiring a VibeShield account.

Shareable links are useful for sharing results with clients, auditors, or teams who are not VibeShield users. Links can be revoked at any time from the scan report page.

Shared reports include the AI summary, compliance tags, and all findings — but do not expose raw scan configuration or credentials.

Notifications & Alerts

VibeShield supports multiple notification channels. Configure them at Alerts.

Discord

Paste a Discord incoming webhook URL to receive scan completion messages in any channel. Messages include the project name, risk score, finding counts by severity, and a direct link to the report.

Slack

Paste a Slack incoming webhook URL for the same scan completion alerts delivered to a Slack channel. Supports daily digest mode — a single end-of-day summary instead of per-scan messages.

Microsoft Teams

Paste a Teams incoming webhook URL to post scan results into a Teams channel. Uses adaptive card formatting.

Email

Receive scan completion emails to your account email address. Requires the platform SMTP configuration to be set up by an administrator. Enable or disable per-notification preferences in Notification Settings.

Weekly executive summary

A Monday morning email with an AI-generated cross-project security briefing. Enable in notification settings. See AI Features.

Scheduled Scans

Use Schedules to run recurring URL scans automatically — daily or weekly — without manual intervention.

Scheduled scans respect your configured notification channels. By default, scheduled scans use diff-only alerting to suppress noise when nothing new is found.

Scan results from scheduled runs appear in the project scan history alongside manual scans.

Diff-Only Alerts

Scheduled scans enable diff-only alerting by default. When a scheduled scan completes, VibeShield compares the new Critical and High findings against the previous scan. Notifications are only sent when at least one new finding is present that was not in the previous scan.

This prevents alert fatigue from recurring scans that produce the same known findings. Teams receive alerts only when the security posture actually changes.

Manual scans always notify on completion regardless of whether findings are new.

CI/CD Integration

Use API keys and the VibeShield API to run scans as part of your deployment pipeline. A typical pattern:

# 1. Start scan
SCAN=$(curl -s -X POST https://app.vibeshield.com/api/scans/url \
  -H "Authorization: Bearer vs_your_key" \
  -H "Content-Type: application/json" \
  -d '{"project_id":"your-project-uuid","url":"https://staging.example.com"}')

SCAN_ID=$(echo $SCAN | jq -r '.id')

# 2. Poll for completion
while true; do
  STATUS=$(curl -s https://app.vibeshield.com/api/scans/$SCAN_ID/status \
    -H "Authorization: Bearer vs_your_key" | jq -r '.status')
  [ "$STATUS" = "completed" ] || [ "$STATUS" = "failed" ] && break
  sleep 15
done

# 3. Fail build on critical findings
CRITICALS=$(curl -s https://app.vibeshield.com/api/scans/$SCAN_ID/report.json \
  -H "Authorization: Bearer vs_your_key" | jq '[.findings[] | select(.severity=="Critical")] | length')

[ "$CRITICALS" -gt 0 ] && echo "Build failed: $CRITICALS critical findings" && exit 1

For SARIF output consumable by GitHub Code Scanning, export via GET /api/scans/{id}/export/sarif and upload the file using the upload-sarif action.

Keep API keys in your CI secret store only — never in code or environment files committed to source control.

API Reference

Protected endpoints require authentication scoped to the logged-in user. Use either a JWT token or an API key in the bearer header.

Authorization header

Authorization: Bearer vs_your_api_key_here
# or
Authorization: Bearer <jwt_access_token>

Base URL

https://app.vibeshield.com/api

Login example

# 1) Login
curl -X POST https://app.vibeshield.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@example.com","password":"your-password"}'

# 2) Call protected endpoint
curl https://app.vibeshield.com/api/projects \
  -H "Authorization: Bearer <token>"

Public endpoints

• GET /health
• POST /auth/register and POST /auth/login
• GET /auth/google — Google SSO redirect
• GET /auth/verify-email?token=... — email verification
• POST /auth/resend-verification
• GET /auth/public-config
• POST /scans/url/guest and GET /scans/guest/{scan_id}

Protected endpoints

Do not include real secrets, tokens, or passwords when sharing request examples publicly.

Need integration help or auth troubleshooting? Visit Support.

Keyboard Shortcuts

Available in-app when focus is not in a text field: