Skip to main content
VibeArmor.ai
Free Scan
v1.0

VibeArmor Documentation

Everything you need to scan your apps, integrate with CI/CD, and connect VibeArmor to your AI coding assistant.

Quick Start

Get your first security scan in under 3 minutes. No account required.

1. Scan your first app

Go to vibearmor.ai/scan and paste any live URL. Vercel previews, Netlify deploys, Railway apps, or any public endpoint. The scan takes about 2-3 minutes and runs 100 security checks against your app.

2. What the score means

Every scan produces a score from 0 to 100, mapped to a letter grade. The score reflects real hackability, not security hygiene trivia.

Score
Grade
Meaning
95 - 100
A+
Excellent. No exploitable issues found.
90 - 94
A
Strong. Minor defense gaps only.
80 - 89
B
Good. Some Tier 2 issues to address.
70 - 79
C
Fair. Real security gaps present.
50 - 69
D
Poor. Exploitable vulnerabilities found.
0 - 49
F
Failing. Critical hackability issues.

3. Understanding finding tiers

Every finding is classified into one of three tiers. This is the core of how VibeArmor differs from generic scanners: we separate what is actually exploitable from what is noise.

Tier 1
HACKABLE

Proves your app can be exploited right now. Exposed secrets, auth bypass, injection attacks, cross-user data access. Fix immediately.

Tier 2
FIX THIS

Real security gaps that need attention. Missing HTTPS, no CSP header, absent rate limiting, insecure cookies. These enable attacks.

Tier 3
INFO

Informational findings that never affect your score. Good to know, but not exploitable. We show them so you have the full picture.

API Reference

Trigger scans programmatically. Available on Security Report ($499) and Pentest ($2,500) tiers, or with rate limits on free tier.

POST/api/scan

Request body

request.jsonjson
{
  "url": "https://your-app.com"
}

Response

response.jsonjson
{
  "scanId": "scan_abc123",
  "url": "https://your-app.com",
  "score": 72,
  "grade": "C",
  "findings": [
    {
      "id": "exposed-supabase-service-key",
      "severity": "critical",
      "tier": 1,
      "title": "Supabase service_role key exposed in client bundle",
      "description": "...",
      "fix": "Move to server-side API route",
      "status": "fail"
    }
  ],
  "criticalCount": 1,
  "highCount": 2,
  "mediumCount": 3,
  "lowCount": 5,
  "durationMs": 147200,
  "scannedAt": "2026-03-31T12:00:00Z"
}

Rate limits

  • Free / anonymous: 5 requests/minute per IP
  • API key (Security Report/Pentest): 30 requests/minute per IP

Example: curl

terminalbash
curl -s -X POST https://vibearmor.ai/api/scan \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-app.com"}' | jq .

Example: JavaScript

scan.tstypescript
const res = await fetch("https://vibearmor.ai/api/scan", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ url: "https://your-app.com" }),
});

const { score, grade, findings, criticalCount } = await res.json();

if (criticalCount > 0) {
  console.error(`FAIL: ${criticalCount} critical vulnerabilities found`);
  process.exit(1);
}

console.log(`Score: ${score} (${grade})`);

CI/CD Integration

Add a security gate to your deployment pipeline. Block deploys that fail your score threshold. Zero dependencies required.

GitHub Actions

Add this step to any workflow. It uses only curl and jq — no action marketplace dependencies, no supply chain risk.

.github/workflows/security.ymlyaml
name: Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  vibearmor:
    runs-on: ubuntu-latest
    steps:
      - name: Wait for deployment
        uses: actions/github-script@v7
        with:
          script: |
            // Wait for your preview deploy to be ready
            // Replace with your deployment check logic

      - name: VibeArmor Security Scan
        run: |
          RESULT=$(curl -s -X POST https://vibearmor.ai/api/scan \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ env.DEPLOY_URL }}"}')

          SCORE=$(echo $RESULT | jq -r '.score')
          GRADE=$(echo $RESULT | jq -r '.grade')
          CRITICAL=$(echo $RESULT | jq -r '.criticalCount')

          echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
          echo "Score: **$SCORE** (Grade: **$GRADE**)" >> $GITHUB_STEP_SUMMARY
          echo "Critical findings: **$CRITICAL**" >> $GITHUB_STEP_SUMMARY

          if [ "$SCORE" -lt "70" ]; then
            echo "::error::Security score $SCORE is below threshold (70)"
            exit 1
          fi

          echo "Security scan passed with score $SCORE ($GRADE)"

Vercel Deploy Hook

COMING SOON

Automatic scans triggered on every Vercel deployment. Add your Vercel project ID in the VibeArmor dashboard and scans run on every preview and production deploy. No workflow files needed.

Tips

  • Set the threshold to match your risk tolerance. 70 blocks anything below a C. 90 requires an A or better.
  • For pull request checks, scan the preview URL (Vercel generates one per PR).
  • Scans take 2-3 minutes. Add a timeout of 5m to your CI step to avoid hanging builds.

MCP Server (AI Assistant Integration)

Connect VibeArmor directly to your AI coding assistant. Scan URLs, check security, and get scores without leaving your editor.

Claude Code

Add the VibeArmor MCP server to your .mcp.json file:

.mcp.jsonjson
{
  "mcpServers": {
    "vibearmor": {
      "command": "npx",
      "args": ["-y", "vibearmor-mcp"],
      "env": {
        "VIBEARMOR_API_URL": "https://vibearmor.ai",
        "VIBEARMOR_API_KEY": "your-api-key"
      }
    }
  }
}

Cursor

Open Settings MCP Add Server and enter the same configuration as above.

Available tools

scan_url

Run a full 100-check security scan on any URL. Returns score, grade, findings, and fix suggestions.

check_security

Focused scan on a single security category (e.g., auth, secrets, headers). Faster than a full scan.

security_score

Quick pass/fail score check for CI/CD gates. Returns score and grade without full finding details.

get_scan_report

Fetch a previous scan result by scan ID. Use this to review historical scans.

Usage example

Once connected, you can ask your AI assistant naturally:

>Scan https://my-app.vercel.app for security issues
>Check if my app has any exposed API keys
>What's the security score for my staging URL?
>Show me the results from my last scan

Scoring Model

Our scoring model is calibrated so that well-secured apps score high and genuinely hackable apps score low. Stripe scores A+. Shopify scores A.

Point deductions by tier and severity

Every scan starts at 100. Points are deducted based on the tier and severity of each failed check. Tier 3 findings are shown but never deduct points.

Severity
Tier 1
Tier 2
Tier 3
Impact
Critical
-25
-10
0
Direct exploitability
High
-15
-5
0
Enables attack chain
Medium
-5
-2
0
Defense weakness
Low
-1
0
0
Informational

Score floors

Floors prevent misleadingly low scores when an app has many minor issues but nothing exploitable. They ensure the grade reflects actual hackability.

40
Absolute floor

No app can score below 40, regardless of findings.

75
No Tier 1 floor

If no Tier 1 findings, the score cannot drop below 75.

90
No Tier 1 + 2 floor

If no Tier 1 or Tier 2 findings, the score stays at 90+.

Calibration reference

We calibrate our scoring against well-known production apps to ensure grades are meaningful.

A+
Stripe
Best-in-class security
A
Shopify
Strong with minor gaps
C
Typical vibe-coded app
Exploitable issues present

Ready to scan?

Paste a URL and get your security score in 3 minutes. Free, no signup.

Scan Your App Free