A Claude Code skill that performs in-depth security scans and detects 20+ of the most common security vulnerabilities in your source code.

AI-generated code now represents a meaningful share of new commits across the industry. While modern coding assistants excel at producing code that works, they routinely ship code with classic security pitfalls: hardcoded secrets, SQL injection, missing access controls, weak password hashing, JWT misuse, and broken CORS configurations. These mistakes rarely surface in functional testing — they surface in incident reports.

vbsec brings production-grade security review into the AI coding loop. It runs as a native Claude Code skill — type /vbs-scan-security and receive a structured report covering 20+ categories of vulnerabilities. There are no external API calls, no separate tool installation, and no additional infrastructure to maintain.

vbsec has been exercised against intentionally vulnerable open-source training apps such as OWASP Juice Shop — and identifies findings that line up with the documented vulnerability challenges across SQL injection, NoSQL injection, JWT misuse, broken access control, mass assignment, deserialization RCE, and more.

Generic rules apply to every language. Specialized rule overlays exist for Go, PHP, TypeScript/JavaScript, and Python, covering common frameworks: React, Vue, Angular, Express, NestJS, Next.js, Django, Flask, FastAPI, SQLAlchemy, Sequelize, Prisma, and Mongoose. Additional language overlays are on the roadmap.

• Bùi Tấn Việt — CEO, SePay & 123HOST
• Phan Quốc Hiên — CTO, SePay & 123HOST

vbsec is engineered around a small set of design choices that distinguish it from conventional pattern scanners.

• Reasoning-first, not pattern counting. vbsec does not blindly grep for eval( or query(. Each potential finding is verified by reading the surrounding code, tracing data flow (L1 untrusted user input through L4 trusted system data), and confirming the data reaches a dangerous sink without sanitization. This eliminates the false-positive flood typical of regex-based scanners.

• Size-aware routing. Small scans (≤20 main-language files AND ≤30 total) run inline in 30-60 seconds. Larger scans automatically delegate work to sub-agents that run in parallel — one chunk per top-level folder — and aggregate findings centrally. The user experience is identical; only the execution strategy changes.

• Sub-agent delegation for large repositories. For repositories with hundreds of files, vbsec spawns up to three parallel sub-agents through Claude Code's general-purpose agent. Each sub-agent scans a chunk of files independently, and findings are dedupe-aggregated by (file, line, rule_id). This keeps wall-clock time bounded even on monorepos.

• Language overlay system. When vbsec detects the primary language, it loads language-specific rule files from rules/languages/<lang>/ that override the generic rules for that language. This catches framework-specific patterns: Mongoose $where NoSQL injection, Angular bypassSecurityTrustHtml, Sequelize template-literal SQL, JWT algorithm confusion, Gin debug mode in production builds.

• L1–L4 data flow classification. Inputs are classified by trust level. A db.query(\SELECT ${x}`)call is only reported as a finding whenx` originates from L1 (user-controlled input) and reaches the SQL sink without parameterization. Constants, environment variables, and trusted-source data do not generate false positives.

• One finding, one rule. A line of code that triggers both IDOR and Race Condition produces two findings — never a comma-separated double tag. This keeps counts honest, reports auditable, and the trailing JSON summary machine-parseable.

• Bilingual reports. Vietnamese is the default; English is selected with lang=en. The JSON summary at the report tail is always canonical English for CI and tooling consumption.

vbsec installs as a Claude Code skill. Run these two commands in your terminal:

git clone https://github.com/tanviet12/vbsec ~/vbsec
ln -sfn ~/vbsec/skills/vbs-scan-security ~/.claude/skills/vbs-scan-security

Restart Claude Code, then verify:

/vbs-scan-security

To update later:

cd ~/vbsec && git pull

(Restart Claude Code to pick up the new version.)

See docs/en/installation.md for prerequisites, troubleshooting, and update procedures.

The default scope is the entire repository. This is a deliberate change from earlier versions and matches how teams typically request a security audit.

/vbs-scan-security                       # scan entire repo (default)
/vbs-scan-security uncommitted           # only scan uncommitted changes
/vbs-scan-security pr id 42 lang=en      # scan a PR, report in English
/vbs-scan-security commit within 7days   # scan last 7 days of commits

Reports are saved to vbsec-reports/scan-<timestamp>.md inside the scanned repository for re-reading, sharing with reviewers, and attaching to remediation tickets.

See docs/en/usage.md for all options including staged, single-commit scans, and PR scanning via gh.

The list currently contains 21 rules and will continue to expand.

• Installation
• Usage
• Full rule catalog
• Contributing

• v0.1 — Generic rule set + Go + PHP specialization + bilingual output ✅
• v0.2 — TypeScript/JavaScript specialization (Sequelize/Prisma/Mongoose, React/Vue/Angular, Express/NestJS/Next.js) ✅
• v0.3 — Default scope changed to full-repo, persistent reports, verbose per-finding explanations ✅
• v0.4 (current) — Python specialization (SQLAlchemy/Django ORM SQLi, pickle/yaml deserialization RCE, Werkzeug debugger, FastAPI/Flask/Django CSRF + CORS, PyJWT algorithms, subprocess shell=True) ✅
• v0.5 — Codex compatibility (.codex/skills/)
• v0.6+ — Ruby, Java, Rust — community-driven

vbsec is a reference scanner. It catches common AI-generated code mistakes, but:

• It does NOT replace a professional security audit
• It does NOT guarantee 100% vulnerability coverage
• It does NOT fetch live CVE databases (run npm audit / pip-audit / govulncheck separately for that)

Use vbsec as a first line of defense, not as proof of security.

Released under the MIT License.

Built on the security expertise of SePay and 123HOST — two Vietnamese fintech and hosting companies that operate production systems under real-world threat conditions.

© 2026 Bùi Tấn Việt & Phan Quốc Hiên.