{"slug": "add-security-scanning-to-any-github-repo-in-3-lines-of-yaml", "title": "Add Security Scanning to Any GitHub Repo in 3 Lines of YAML", "summary": "A developer released AINAScan/VibeGuard, a GitHub Action that scans code for security patterns common in AI-generated code. Scanning 10 popular vibe-coded repos revealed critical issues in all of them, including missing database writes and fake async functions. The tool uses AST-based deterministic analysis with 48 patterns across 9 languages.", "body_md": "AI writes code fast. It also writes the same security bugs, over and over.\n\nWe scanned 10 popular vibe-coded repos (10k–100k ⭐) last week. Every single one had at least one critical issue that passed code review undetected.\n\nThe most common pattern:\n\n``` python\n# AI generates this constantly\ndef save_user(data):\n    return {\"status\": \"saved\"}  # No actual DB write. Ever.\n\nasync def fetch_profile(user_id):\n    return profile  # async keyword, zero await calls\n```\n\nThese aren't typos. They're structural patterns that emerge when LLMs write code — and standard linters miss all of them.\n\n** AINAScan / VibeGuard** — AST-based, deterministic, no LLM involved. 48 patterns across 9 languages.\n\nAnd now it's a GitHub Action.\n\n```\n# .github/workflows/vibeguard.yml\nname: Security Scan\non: [pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: Moonsehwan/aina-vibeguard-action@v1\n        with:\n          api-key: ${{ secrets.VIBEGUARD_KEY }}\n```\n\nAdd `VIBEGUARD_KEY`\n\n→ **Settings → Secrets → Actions → New secret**\n\nUse `vg_free_test`\n\nas the value (free promo key, valid until June 24).\n\nThat's it. Every PR now gets scanned. Critical issues fail the check automatically.\n\n| Pattern | What it means |\n|---|---|\n`MISSING_WRITE` |\n`save_user()` with no INSERT/UPDATE anywhere |\n`FAKE_ASYNC` |\n`async def` with zero `await` calls |\n`STUB_SKELETON` |\nFunction body is just `return {}`\n|\n`DEAD_CALL_RESULT` |\nCalls 3 modules, ignores all return values |\n`INPUT_OUTPUT_DISCONNECTED` |\nParameters don't affect the return value |\n\nThese patterns are in no other scanner. They exist because AI coding assistants repeat them constantly.\n\nScanned **serena** (25k ⭐) — a popular AI coding assistant:\n\n```\n[BLOCK] COMMAND_INJECTION  agent.py:1222\nsubprocess.Popen(cmd, shell=True)\n→ any config value can execute arbitrary shell commands\n```\n\nFound in 3 seconds. Missed by the maintainers.\n\nThe API returns structured JSON, so AI agents can auto-fix:\n\n```\nresult = requests.post(\n    \"https://pleasing-transformation-production-90c2.up.railway.app/v1/scan\",\n    headers={\"X-API-Key\": \"vg_free_test\"},\n    files={\"file\": open(\"app.py\", \"rb\")}\n).json()\n\n# Pass to Claude/GPT for auto-fix\nif not result[\"passed\"]:\n    prompt = f\"Fix these issues: {result['issues']}\"\n    fixed = agent.generate(prompt)\n```\n\n**Free key (until June 24):** `vg_free_test`\n\n```\ncurl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \\\n  -H \"X-API-Key: vg_free_test\" \\\n  -F \"file=@your_file.py\"\n```\n\n**GitHub Action:** [Moonsehwan/aina-vibeguard-action](https://github.com/Moonsehwan/aina-vibeguard-action)\n\n**Full docs:** [github.com/Moonsehwan/aina-scan](https://github.com/Moonsehwan/aina-scan)\n\nWould love to hear what patterns you're seeing in your AI-generated code. Drop them in the comments — if it's a real pattern we're not catching, we'll add it.", "url": "https://wpnews.pro/news/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml", "canonical_source": "https://dev.to/_55c9ae90dd2b13bd715f5/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml-1l81", "published_at": "2026-06-22 04:38:44+00:00", "updated_at": "2026-06-22 05:10:01.502433+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools", "large-language-models", "ai-agents"], "entities": ["AINAScan", "VibeGuard", "GitHub", "Moonsehwan", "serena"], "alternates": {"html": "https://wpnews.pro/news/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml", "markdown": "https://wpnews.pro/news/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml.md", "text": "https://wpnews.pro/news/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml.txt", "jsonld": "https://wpnews.pro/news/add-security-scanning-to-any-github-repo-in-3-lines-of-yaml.jsonld"}}