Discover and explore top open-source AI tools and projects—updated daily.
safeboundaiShadow IT discovery and assessment tool
Top 76.0% on SourcePulse
Summary
Vibe-scanner tackles enterprise shadow IT by discovering and assessing employee-deployed internal tools on AI/no-code and serverless platforms. It identifies exposed authentication, hardcoded secrets, and data exposure, empowering red teams with authorized shadow-IT discovery capabilities for risk mitigation.
How It Works
The tool employs a multi-phase pipeline: Phase 0 enriches target identity tokens via BFS crawl and GLiNER entity extraction. Phase 1 discovers potential apps across 11 platforms using Serper API dorks, applying relevance scoring and filtering. Phase 2 probes candidates for authentication weaknesses, hardcoded credentials, and Supabase RLS bypass (CVE-2025-48757). GLiNER (or regex fallback) classifies detected data classes, feeding into a severity score. An advanced attribution model filters noise, with a headless Chrome fallback for SPAs.
Quick Start & Requirements
Installation supports Docker (docker build/run) or Python (venv, pip install -r requirements.txt) with Node.js for the server. A SERPER_API_KEY (from serper.dev) is mandatory. Optional: HF_TOKEN for GLiNER model download, OPENAI_API_KEY for GPT-4o risk assessment. AWS SSM integration requires pip install vibe-scanner[ssm]. Configuration uses environment variables loaded from .env.
Highlighted Details
Maintenance & Community
The project welcomes issues and PRs, suggesting users open an issue first for substantial changes. No specific community channels are listed.
Licensing & Compatibility
Distributed under the Apache License 2.0, a permissive license suitable for commercial use and integration within closed-source projects.
Limitations & Caveats
The attribution model struggles with service-provider targets (e.g., huggingface.co, github.com), potentially causing false positives or reduced recall due to legitimate third-party references. For such platforms, using a narrower --name or alternative discovery methods is advised.
1 month ago
Inactive
trufflesecurity