VibeCop Documentation

Your codebase is
accumulating entropy.
We measure it.

Every PR gets reviewed against your codebase's established patterns — not just the diff. VibeCop catches architectural drift before it compounds into technical debt.

What VibeCop catches

AI Slop Detection — 4 surfaces

Before any LLM touches your code, four deterministic layers run across your entire repo. Fast, cheap, no false positives from hallucinated rules.

DEP SCAN
Dependency vulnerabilitiesCVEs across your entire package tree, transitive included.
SECRETS
Exposed credentialsAPI keys, tokens, hardcoded passwords in source.
SAST
Static code patternsInjection, XSS, path traversal via Semgrep rules.
IAC
Infrastructure misconfigsDockerfile, Terraform, k8s manifests.
$ vibecop scan --quick realworld-app
↳ 62 packages · 1,240 files
 
— dep scan ————————————————
✗ P1 lodash@4.17.20 CVE-2021-23337
✗ P1 express-jwt@5.3.1 auth bypass
— secrets ——————————————————
⚠ P2 JWT_SECRET config.js:4 (hardcoded)
— SAST (semgrep) ———————————
⚠ P2 sql-concat db/queries.js:88
— IaC ——————————————————————
⚠ P2 root-user Dockerfile:3
 
3 critical · 7 warnings · done in 28s
Architecture Integrity Index

A score, not a report. 0–100. Updated per PR.

Computed across four structural axes — each worth 25 points. Tracks how coherent your codebase's architecture is over time. Not a linter. A health signal.

Pattern Coherence
Similar problems solved the same way
21/25
Knowledge Reuse
Logic reused, not re-implemented
18/25
Abstraction Discipline
Abstractions earning their weight
14/25
Architectural Complexity
Cycles, fan-out, coupling
19/25
72
integrity
↑ +3 pts from last scan
Key concepts

Understanding VibeCop

Expand any concept below for a detailed explanation.

Get started

Up and running in 5 steps

1
Connect your repo
Authenticate with GitHub and select the repository you want VibeCop to analyse.
2
Quick scan (~30s)
No LLM, no rules. Dep scan + secrets + SAST + IaC runs across your whole repo. You see real findings immediately.
3
Confirm your stack
VibeCop detects your languages, frameworks, and package manager. Confirm or correct the detected stack.
4
Stack Profile KB is built
A knowledge base is generated for your detected stack — used to calibrate the LLM detectors to your context.
5
Begin analysis
Full scan runs. Pattern Fingerprint is extracted. Architecture Integrity Index is computed. You're live.