VibeGuard: A Security Gate Framework for AI-Generated Code

TL;DR

VibeGuard is a security framework designed to detect and prevent vulnerabilities in AI-generated code during the pre-publish phase, addressing gaps in existing static analysis tools.

Contribution

The paper introduces VibeGuard, a novel security gate that effectively identifies five key blind spots in AI-generated code, with high accuracy in controlled experiments.

Findings

VibeGuard achieved 100% recall in detecting vulnerabilities.

It demonstrated 89.47% precision and an F1 score of 94.44%.

VibeGuard made correct pass/fail decisions across all tested projects.

Abstract

"Vibe coding," in which developers delegate code generation to AI assistants and accept the output with little manual review, has gained rapid adoption in production settings. On March 31, 2026, Anthropic's Claude Code CLI shipped a 59.8 MB source map file in its npm package, exposing roughly 512,000 lines of proprietary TypeScript. The tool had itself been largely vibe-coded, and the leak traced to a misconfigured packaging rule rather than a logic bug. Existing static-analysis and secret-scanning tools did not cover this failure mode, pointing to a gap between the vulnerabilities AI tends to introduce and the vulnerabilities current tooling is built to find. We present VibeGuard, a pre-publish security gate that targets five such blind spots: artifact hygiene, packaging-configuration drift, source-map exposure, hardcoded secrets, and supply-chain risk. In controlled experiments on eight synthetic projects (seven vulnerable, one clean control), VibeGuard achieved 100% recall, 89.47% precision (F1 = 94.44%), and correct pass/fail gate decisions on all eight projects across three policy levels. We discuss how these results inform a defense-in-depth workflow for teams that rely on AI code generation.