vibe-scanner  by safeboundai

Shadow IT discovery and assessment tool

Created 1 month ago
371 stars

Top 76.0% on SourcePulse

GitHubView on GitHub
Project Summary

Summary

Vibe-scanner tackles enterprise shadow IT by discovering and assessing employee-deployed internal tools on AI/no-code and serverless platforms. It identifies exposed authentication, hardcoded secrets, and data exposure, empowering red teams with authorized shadow-IT discovery capabilities for risk mitigation.

How It Works

The tool employs a multi-phase pipeline: Phase 0 enriches target identity tokens via BFS crawl and GLiNER entity extraction. Phase 1 discovers potential apps across 11 platforms using Serper API dorks, applying relevance scoring and filtering. Phase 2 probes candidates for authentication weaknesses, hardcoded credentials, and Supabase RLS bypass (CVE-2025-48757). GLiNER (or regex fallback) classifies detected data classes, feeding into a severity score. An advanced attribution model filters noise, with a headless Chrome fallback for SPAs.

Quick Start & Requirements

Installation supports Docker (docker build/run) or Python (venv, pip install -r requirements.txt) with Node.js for the server. A SERPER_API_KEY (from serper.dev) is mandatory. Optional: HF_TOKEN for GLiNER model download, OPENAI_API_KEY for GPT-4o risk assessment. AWS SSM integration requires pip install vibe-scanner[ssm]. Configuration uses environment variables loaded from .env.

Highlighted Details

  • Scans 11 diverse platforms (e.g., Netlify, Vercel, Hugging Face Spaces, Replit).
  • Detects critical vulnerabilities: exposed authentication, hardcoded secrets, Supabase RLS bypass (CVE-2025-48757).
  • Classifies sensitive data (PII, credentials, financial).
  • Provides real-time dashboard UI (SSE) and streams JSON-line output.
  • Optional GPT-4o for AI-driven risk assessment.

Maintenance & Community

The project welcomes issues and PRs, suggesting users open an issue first for substantial changes. No specific community channels are listed.

Licensing & Compatibility

Distributed under the Apache License 2.0, a permissive license suitable for commercial use and integration within closed-source projects.

Limitations & Caveats

The attribution model struggles with service-provider targets (e.g., huggingface.co, github.com), potentially causing false positives or reduced recall due to legitimate third-party references. For such platforms, using a narrower --name or alternative discovery methods is advised.

Health Check
Last Commit

1 month ago

Responsiveness

Inactive

Pull Requests (30d)
0
Issues (30d)
2
Star History
293 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.