Add Security Scanning to Any GitHub Repo in 3 Lines of YAML

A developer released AINAScan/VibeGuard, a GitHub Action that scans code for security patterns common in AI-generated code. Scanning 10 popular vibe-coded repos revealed critical issues in all of them, including missing database writes and fake async functions. The tool uses AST-based deterministic analysis with 48 patterns across 9 languages.

AI writes code fast. It also writes the same security bugs, over and over. We scanned 10 popular vibe-coded repos 10k–100k ⭐ last week. Every single one had at least one critical issue that passed code review undetected. The most common pattern: python AI generates this constantly def save user data : return {"status": "saved"} No actual DB write. Ever. async def fetch profile user id : return profile async keyword, zero await calls These aren't typos. They're structural patterns that emerge when LLMs write code — and standard linters miss all of them. AINAScan / VibeGuard — AST-based, deterministic, no LLM involved. 48 patterns across 9 languages. And now it's a GitHub Action. .github/workflows/vibeguard.yml name: Security Scan on: pull request jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Moonsehwan/aina-vibeguard-action@v1 with: api-key: ${{ secrets.VIBEGUARD KEY }} Add VIBEGUARD KEY → Settings → Secrets → Actions → New secret Use vg free test as the value free promo key, valid until June 24 . That's it. Every PR now gets scanned. Critical issues fail the check automatically. | Pattern | What it means | |---|---| MISSING WRITE | save user with no INSERT/UPDATE anywhere | FAKE ASYNC | async def with zero await calls | STUB SKELETON | Function body is just return {} | DEAD CALL RESULT | Calls 3 modules, ignores all return values | INPUT OUTPUT DISCONNECTED | Parameters don't affect the return value | These patterns are in no other scanner. They exist because AI coding assistants repeat them constantly. Scanned serena 25k ⭐ — a popular AI coding assistant: BLOCK COMMAND INJECTION agent.py:1222 subprocess.Popen cmd, shell=True → any config value can execute arbitrary shell commands Found in 3 seconds. Missed by the maintainers. The API returns structured JSON, so AI agents can auto-fix: result = requests.post "https://pleasing-transformation-production-90c2.up.railway.app/v1/scan", headers={"X-API-Key": "vg free test"}, files={"file": open "app.py", "rb" } .json Pass to Claude/GPT for auto-fix if not result "passed" : prompt = f"Fix these issues: {result 'issues' }" fixed = agent.generate prompt Free key until June 24 : vg free test curl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \ -H "X-API-Key: vg free test" \ -F "file=@your file.py" GitHub Action: Moonsehwan/aina-vibeguard-action https://github.com/Moonsehwan/aina-vibeguard-action Full docs: github.com/Moonsehwan/aina-scan https://github.com/Moonsehwan/aina-scan Would love to hear what patterns you're seeing in your AI-generated code. Drop them in the comments — if it's a real pattern we're not catching, we'll add it.