I Built a Security Tool. It Found a Critical Hole in Itself.

I am building a code security analyzer. I call it vibeanalyzer.

The goal is simple. Many people now "vibe-code." They let AI agents write code. The code looks clean. The tests pass. But the developer has no idea what is actually inside the project.

Before I went all in, I did something I should have done long ago. I checked if existing tools already solved this. They did. Tools like Semgrep, CodeQL, and Snyk are much better than me.

I ran Semgrep on my own project. The results were a reality check.

Semgrep found six issues in my dependencies:

• One cosmetic issue with a hash choice. • Two High severity issues in esbuild and vite. • Three Medium severity issues involving path traversal. • One Critical issue in vitest.

The vitest issue was a path traversal vulnerability. It could let someone read or execute files outside the project. I pulled that dependency in myself.

How can a security tool have a critical vulnerability?

The answer is the supply chain. My code might be honest. But the tools I build on are not always safe. If I missed this while building a security tool, a regular developer has zero chance of catching it.

This is why I am still building.

Existing tools like Semgrep find patterns of danger. They find known vulnerabilities. But they do not understand intent. They do not know what your code was actually supposed to do.

They cannot tell if a function is safe but solves a problem that should not exist in your project.

I call this the intent gap. It is the distance between the code and its purpose.

Vibeanalyzer focuses on this gap. The tool asks you for the project's intent and its non-goals. It sets guardrails. When the AI evaluates the code, it knows the goal. It knows what is out of bounds.

I have finished the intent loading part. I have basic TypeScript analysis and folder structure graphs. Next, I must build the AI layer. I do not know if AI can truly evaluate code against intent. It might just create false alarms. I will build it in the open to find out.

I updated my dependencies and cleared the known bugs. But unknown holes and logic errors remain. That is why the work continues.

Source: https://dev.to/stkremen/im-building-a-code-security-analyzer-a-security-tool-found-a-critical-in-it-4b77

Optional learning community: https://t.me/GyaanSetuAi