╔═════════════════════════════════════════════════════════════════╗
║ ║
║ ░██████╗░██╗░░░██╗░█████╗░ ║
║ ██╔════╝░██║░░░██║██╔══██╗ ║
║ ██║░░██╗░╚██╗░██╔╝██║░░██║ ║
║ ██║░░╚██╗░╚████╔╝░██║░░██║ ║
║ ╚██████╔╝░░╚██╔╝░░╚█████╔╝ ║
║ ░╚═════╝░░░░╚═╝░░░░╚════╝░ ║
║ ║
║ 🛡️ security scanner for vibe coders 🛡️ ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
GoodVibesOnly
Security scanner for vibe-coded projects. A Claude Code extension that automatically scans for vulnerabilities when Claude Code commits on your behalf.
How It Works
GoodVibesOnly uses Claude Code's hooks system to intercept git commands within Claude Code sessions. It does not hook into git directly — it only triggers when Claude Code itself runs a Bash command.
- Intercepts Claude Code's Bash calls - A
PreToolUse hook runs the scanner whenever Claude Code is about to execute a Bash command
- Checks for git commit/push - If the command is a
git commit or git push, it scans staged files for hardcoded secrets, injection vulnerabilities, XSS, and more
- Blocks on critical issues - Prevents Claude Code from executing the commit by exiting with code 2
- Allows warnings through - High/medium issues are reported but don't block
Note: This only works when committing through Claude Code. Running git commit directly in your terminal will not trigger the scan. For terminal-level git hooks, consider a traditional pre-commit hook tool.
You (in Claude Code): commit my changes
🛡️ GoodVibesOnly Security Scan
🔴 CRITICAL - Must fix before commit:
1. Hardcoded API Key
src/config.js:15
const API_KEY = "sk-abc123..."
2. SQL Injection
src/db/users.js:42
db.query("SELECT * FROM users WHERE id = " + id)
Found 2 critical, 0 high, 0 medium issues.
Commit blocked — fix critical issues before committing.
Installation
Option 1: skills.sh (recommended)
npx skills add jddoesdev/goodvibesonly
Or install globally:
npx skills add jddoesdev/goodvibesonly --global
Option 2: npx
npx goodvibesonly-cc
Option 3: npm global install
npm install -g goodvibesonly-cc
Option 4: Manual
git clone https://github.com/jddoesdev/goodvibesonly.git
cd goodvibesonly
node bin/install.js --global
Options
node bin/install.js --global # Install to ~/.claude/ (all projects)
node bin/install.js --local # Install to ./.claude/ (this project)
node bin/install.js --no-hooks # Skip hook installation (command/skill only)
node bin/install.js --uninstall # Remove GoodVibesOnly
Usage
Automatic (via hooks)
When working inside Claude Code, GoodVibesOnly runs automatically whenever Claude executes a git commit or push:
You: commit my changes # Scans before Claude runs git commit
You: push to origin # Scans before Claude runs git push
Manual Scan
/goodvibesonly
Or ask Claude:
is this code safe?
goodvibesonly this
check for security issues
What It Catches
CRITICAL (Blocks Commit)
| Category | Examples |
|---|
| API Keys | OpenAI (sk-...), Anthropic (sk-ant-...), AWS (AKIA...), GitHub (ghp_...), Stripe (sk_live_...) |
| Secrets | Hardcoded passwords, API keys, private keys |
| Injection | SQL injection, command injection, code injection (eval) |
| Config | CORS wildcard (origin: "*"), disabled SSL verification |
HIGH (Warns)
| Category | Examples |
|---|
| XSS | innerHTML, dangerouslySetInnerHTML, v-html |
| Deserialization | pickle.loads(), yaml.load() without SafeLoader |
| Weak Crypto | MD5/SHA1 for passwords |
MEDIUM (Notes)
| Category | Examples |
|---|
| Debug | DEBUG = true |
| Logging | console.log(password) |
| TODOs | Security-related TODOs |
| HTTP | Non-HTTPS URLs |
Project Structure
goodvibesonly/
├── bin/
│ ├── install.js # Installer (copies files + sets up hooks)
│ └── scan.js # Scanner script (runs via hooks)
├── commands/
│ └── goodvibesonly.md # /goodvibesonly slash command
├── skills/
│ └── goodvibesonly/
│ └── SKILL.md # Skill for Claude assistance
├── hooks/
│ └── hooks.json # Hook configuration template
├── package.json
└── README.md
Allowlist
