Skip to content

SecureVibe

Your AI assistant writes the vulnerability. SecureVibe stops it at the keystroke. Signed security skills give Claude Code, Cursor, Copilot, Codex, Windsurf, Cline, Antigravity, and Devin the security context they're missing — current supply-chain intel and secure-by-default patterns — so the bad dependency is never installed and the insecure code is never written, not caught in review.

MIT CI Last commit Skills CVE patterns Supply-chain ecosystems secret-detection patterns Platforms AI clients
Claude Code consulting SecureVibe: catching the Log4Shell dependency (CVE-2021-44228) and writing a parameterized query instead of a SQL-injection-prone one
3,623Curated Entries
10Supply-Chain Ecosystems
30Skills
58CVE Patterns
83Secret Patterns
8AI Client Integrations

Curated database refreshed 2026-06-23 · +1,601 entries in the last 30 days · OSSF malicious-packages @ 8c093db5

The problem

Your developers use Claude Code, Cursor, Copilot, and a dozen other AI coding assistants every day. They accept generated code that imports compromised packages, hardcodes API keys, opens SSRF holes, and ships unsafe deserialization patterns into production. Three structural gaps drive this:

1. AI assistants ship without current security context. Training data is months or years stale. A package compromised yesterday is happily imported by the model today. CWE / OWASP rules live nowhere the assistant looks at generation time.

2. Supply-chain intel changes daily; static rules go stale. Typosquats, malicious-package disclosures, and CVE-to-code patterns evolve every week. A rule file checked in last quarter is already wrong. You need delta-updatable, cryptographically signed intel — not yet another quarterly export.

3. Each AI vendor ships its own secret-handling rules, or nothing at all. Claude has CLAUDE.md, Cursor has .cursorrules, Copilot has copilot-instructions.md, Codex has AGENTS.md — eight surfaces, eight formats, eight blind spots. There's no shared rule corpus and no on-demand lookup API that any of them can call.

Embed in 3 commands

Everything ships on npm — no checkout, no Go toolchain. The package bundles the platform binary and the rule data; pick a surface.

# Drop the skills into a project (writes IDE config, e.g. CLAUDE.md)
npx @shieldnet360/secure-code-skill init --tool claude
# Or wire the MCP server so any MCP-speaking client can call its tools on demand
claude mcp add secure-code -- npx -y @shieldnet360/secure-code-mcp
# Or gate files from the terminal / CI / pre-commit (deterministic, exit code)
npx -p @shieldnet360/secure-code-mcp secure-code-check gate Dockerfile package-lock.json --severity-floor high

gate picks the right scanner per file (Dockerfile / lockfile / workflow → specialised scanner; anything else → secret scan) and exits non-zero when a finding meets the floor. The data is bundled, so it runs fully offline.

How it works

flowchart LR
    AI["🤖 AI coding<br/>assistant"] -->|reads at session start| DIST["dist/CLAUDE.md<br/>(or 7 other formats)"]
    AI -->|JSON-RPC on demand| MCP["skills-mcp<br/>server"]
    subgraph LIB [" SecureVibe library "]
        direction TB
        SK["skills/<br/>30 SKILL.md"]
        VU["vulnerabilities/<br/>npm · pypi · cargo · gem · go ·<br/>nuget · maven · gh-actions · docker"]
        CV["CVE patterns<br/>58 code-relevant"]
        SECRETS["Secret patterns<br/>83 detection rules"]
        CO["compliance/<br/>SOC2 · HIPAA · PCI"]
    end
    DIST --> LIB
    MCP --> LIB
    REL["GitHub Releases<br/>+ Ed25519 sig"] -->|skills-check update| LIB
    LIB -->|policy check| DEC{"Allow /<br/>Block /<br/>Redact"}
    DEC --> AI

Every surface is optional. Drop a static CLAUDE.md for zero-config baseline coverage. Add the MCP server to get on-demand vulnerability lookups, dependency scans, and Dockerfile hardening checks without spending tokens until they're actually needed.

Compliance coverage

Signed skills map to the controls you're audited against. 7 frameworks · 81 mapped controlsbrowse the live control → skill matrix →

SOC 2 HIPAA PCI-DSS ISO/IEC 27001 ISO/IEC 27701 ISO/IEC 27017 ISO/IEC 42001

Honest scope: each mapping links SecureVibe's technical controls to the framework — it helps you implement and evidence those controls, it does not certify your ISMS / AIMS / PIMS programme.

AI Client Integrations

Eight first-class targets. Same skills, same library, eight rendered output formats.

Client Config file Format Token tier (default) Embed
Claude Code CLAUDE.md markdown compact skills-check init --tool claude
Cursor .cursorrules flat instructions compact skills-check init --tool cursor
GitHub Copilot .github/copilot-instructions.md markdown compact skills-check init --tool copilot
OpenAI Codex AGENTS.md agent-oriented compact skills-check init --tool codex
Windsurf .windsurfrules flat instructions compact skills-check init --tool windsurf
Cline / OpenCode .clinerules flat instructions compact skills-check init --tool cline
Antigravity AGENTS.md (shared) agent-oriented compact skills-check init --tool codex
Devin devin.md full markdown full skills-check init --tool devin

Native skill bundles are also produced for the three clients that support per-skill directories: agent-skills/.agents/skills/, claude-skills/.claude/skills/, copilot-skills/.github/skills/.

For MCP-aware clients (Claude Code, Cursor, etc.), skills-mcp exposes 16 JSON-RPC tools — lookup_vulnerability, scan_dependencies, scan_dockerfile, scan_github_actions, check_secret_pattern, map_compliance_control, gate, and 9 more — so the assistant can ask for security context on demand instead of loading the whole rule corpus into its prompt.

Signing model

Releases are signed with Ed25519. The CLI embeds the production public key at build time via -ldflags -X and refuses to apply any update whose manifest signature doesn't verify against a trusted key. Multiple trusted keys can be configured for staging vs production rollouts.

Every file in a release manifest carries a SHA-256 checksum. Updates verify the manifest signature first, then each file's checksum, then rename-atomic-write the file into place. A crash mid-update leaves the previous version intact. Private keys are held offline on YubiKeys — never in CI secrets, never on disk.

See SIGNING.md for the full key-management policy and rotation procedure.

Compliance coverage

Generate a control coverage report for any of three frameworks. Output is markdown or JSON, timestamped, with per-control source citations back into the skill files that satisfy it.

skills-check evidence --framework SOC2    --format markdown --out evidence-soc2.md
skills-check evidence --framework HIPAA   --format json
skills-check evidence --framework PCI-DSS --format markdown
Standard Mapping file Notes
OWASP Top 10 2025 compliance/owasp_top10_2025.yaml Per-CWE coverage from the skill catalogue.
CWE Top 25 compliance/cwe_top25.yaml Each CWE maps to the skills that detect it.
SOC 2 (CC series) compliance/soc2_mapping.yaml Developer-facing coverage map, not a substitute for a real audit.
HIPAA Security Rule compliance/hipaa_mapping.yaml Same — pair with runtime evidence, change-management records, access reviews.
PCI-DSS v4.0 compliance/pci_dss_mapping.yaml Card-data-handling controls.
FedRAMP / NIST SP 800-53 Rev 5 profiles/government.yaml Profile-locked subset for public-sector deployments.

The mappings are YAML, version-controlled, and contributable — open a PR against the file to add or correct a control linkage.