Let's make
vibe coding safe.
An extensible CLI for security-auditing AI‑generated applications. Repeatable audits. Machine-readable output. Built-in and custom checks.
Get Started in 60 Seconds
Install with one command, run a quick audit, or integrate into your CI/CD pipeline.
How It Works
A simple four-step pipeline from code to security findings.
Intake
Point Governor at any directory or repository to analyze.
Select Checks
Choose from built-in checks or load custom YAML definitions.
Execute
AI and rule engines analyze your code in isolated containers.
Report
Get findings in JSON, Markdown, HTML, or SARIF format.
Everything You Need to Audit Vibe-Coded Apps
Governor combines AI-powered analysis with deterministic rules for comprehensive, repeatable security auditing.
Mixed Check Engines
Combine AI-powered analysis with deterministic rule-based checks for comprehensive coverage.
Robust Built-in Checks
Ship with battle-tested security checks covering secrets, dependencies, injection, and more.
Custom Check Authoring
Write AI or rule-based checks in YAML, extract from security docs, or start from starter templates.
Multi-Provider AI
Use OpenAI, Claude, Gemini, DeepSeek, Mistral, or any OpenAI-compatible provider.
Container Isolation
Run audits in isolated Docker or Podman containers for safe, reproducible analysis.
CI/CD Integration
Drop into GitHub Actions, GitLab CI, or any pipeline with exit codes and SARIF output.
Interactive Terminal UI
Beautiful terminal interface with real-time progress, severity colors, and detailed findings.
Machine-Readable Output
Export results as JSON, Markdown, HTML, or SARIF for tooling and compliance workflows.
Built-in Security Checks
Battle-tested checks ship out of the box — AI-powered and rule-based.
Secrets Detection
AI-powered scanning for hardcoded API keys, tokens, passwords, and credentials.
Injection Vulnerabilities
Detects SQL injection, command injection, XSS, and other injection attack vectors.
Authentication & Authorization
Reviews auth flows for broken access controls and missing authorization checks.
Data Exposure
Identifies sensitive data leaks, insecure logging, and unprotected PII handling.
Cryptographic Issues
Flags weak algorithms, insecure random generation, and improper key management.
Security Misconfiguration
Catches debug modes, overly permissive CORS, missing security headers, and more.
Dependency Audit
Checks package manifests against known vulnerability databases.
License Compliance
Validates dependency licenses against your organization's allowlist.
File Permission Check
Detects overly permissive file modes and insecure file operations.
SAST Pattern Matching
Static analysis using pattern-based rules for common vulnerability signatures.
.env & Config Validation
Ensures environment files and configs follow security best practices.
Need checks specific to your stack? Write your own in YAML →
Make It Yours
Write custom checks in YAML, extract them from docs, or start from templates. Two engines, endless possibilities.
AI Check Engine
Write natural-language instructions — Governor sends code to your chosen AI provider and returns structured findings.
Rule Check Engine
Define deterministic detectors with substring or regex patterns — no AI cost, instant results, zero false positives.
Doc-to-Checks Extraction
Point Governor at any security policy or compliance doc — it generates draft YAML checks automatically.
Works With Your Stack
Multi-provider AI, multiple output formats, and container runtime support.