cd /news/ai-safety/add-security-scanning-to-any-github-… · home topics ai-safety article
[ARTICLE · art-36143] src=dev.to ↗ pub= topic=ai-safety verified=true sentiment=· neutral

Add Security Scanning to Any GitHub Repo in 3 Lines of YAML

A developer released AINAScan/VibeGuard, a GitHub Action that scans code for security patterns common in AI-generated code. Scanning 10 popular vibe-coded repos revealed critical issues in all of them, including missing database writes and fake async functions. The tool uses AST-based deterministic analysis with 48 patterns across 9 languages.

read2 min views1 publishedJun 22, 2026

AI writes code fast. It also writes the same security bugs, over and over.

We scanned 10 popular vibe-coded repos (10k–100k ⭐) last week. Every single one had at least one critical issue that passed code review undetected.

The most common pattern:

def save_user(data):
    return {"status": "saved"}  # No actual DB write. Ever.

async def fetch_profile(user_id):
    return profile  # async keyword, zero await calls

These aren't typos. They're structural patterns that emerge when LLMs write code — and standard linters miss all of them.

** AINAScan / VibeGuard** — AST-based, deterministic, no LLM involved. 48 patterns across 9 languages.

And now it's a GitHub Action.

name: Security Scan
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Moonsehwan/aina-vibeguard-action@v1
        with:
          api-key: ${{ secrets.VIBEGUARD_KEY }}

Add VIBEGUARD_KEY

Settings → Secrets → Actions → New secret

Use vg_free_test

as the value (free promo key, valid until June 24).

That's it. Every PR now gets scanned. Critical issues fail the check automatically.

Pattern What it means
MISSING_WRITE
save_user() with no INSERT/UPDATE anywhere
FAKE_ASYNC
async def with zero await calls
STUB_SKELETON
Function body is just return {}
DEAD_CALL_RESULT
Calls 3 modules, ignores all return values
INPUT_OUTPUT_DISCONNECTED
Parameters don't affect the return value

These patterns are in no other scanner. They exist because AI coding assistants repeat them constantly.

Scanned serena (25k ⭐) — a popular AI coding assistant:

[BLOCK] COMMAND_INJECTION  agent.py:1222
subprocess.Popen(cmd, shell=True)
→ any config value can execute arbitrary shell commands

Found in 3 seconds. Missed by the maintainers.

The API returns structured JSON, so AI agents can auto-fix:

result = requests.post(
    "https://pleasing-transformation-production-90c2.up.railway.app/v1/scan",
    headers={"X-API-Key": "vg_free_test"},
    files={"file": open("app.py", "rb")}
).json()

if not result["passed"]:
    prompt = f"Fix these issues: {result['issues']}"
    fixed = agent.generate(prompt)

Free key (until June 24): vg_free_test

curl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \
  -H "X-API-Key: vg_free_test" \
  -F "file=@your_file.py"

GitHub Action: Moonsehwan/aina-vibeguard-action

Full docs: github.com/Moonsehwan/aina-scan

Would love to hear what patterns you're seeing in your AI-generated code. Drop them in the comments — if it's a real pattern we're not catching, we'll add it.

source & further reading
dev.to — original article Recall boosts Claude Code with offline memory for smooth project continuity Sparse KV Caches Cut Attention Scaling 5 Free Microsoft Resources Every Student Developer Should Bookmark in 2026
── more in #ai-safety 4 stories · sorted by recency
── more on @ainascan 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/add-security-scannin…] indexed:0 read:2min 2026-06-22 ·