Security

What VibeFence scans for

Twelve high-precision rule families covering exposed secrets, dependency CVEs, common auth misconfigurations, and AI-specific risks (untrusted input flowing to model tool calls, unauthenticated proxy endpoints).

How we isolate untrusted code

Scanner runs inside a kernel-level sandbox with a read-only mount of the cloned repo, no host filesystem access, and an egress allowlist limited to vulnerability databases. Untrusted code from your repo never executes — only static analyzers read it.

Vulnerability disclosure

Found a security issue in VibeFence? Email security@vibefence.dev. We aim to respond within 48 hours.

Data handling

Scan reports are stored in Cloudflare R2 (US region). Findings strip secret values — only redacted matches are persisted. See Privacy for retention.