Skip to content

luisfer/ubon

BranchesTags

Repository files navigation

πŸͺ· Ubon

Ubon β€” Peace of mind for vibe‑coded apps

TL;DR

Fed up with "You're absolutely right!" when debugging vibe‑coded apps with AI?

npm i -g ubon@latest
ubon scan --interactive  # Guided issue walkthrough

πŸͺ· Peace of mind for vibe‑coded apps.

npm version npm downloads Test Coverage License: MIT

Contents

What is Ubon?

Ubon is a security scanner designed for AI-generated code. It catches the issues that traditional linters miss: hardcoded secrets, accessibility failures, broken links, and those subtle vulnerabilities that only surface in production.

Ubon is a fast static analysis tool for modern, AI‑generated "vibe‑coded" apps. It finds real, shippable issuesβ€”secrets, insecure cookies/redirects, accessibility problems, broken links, and config mistakesβ€”and explains how to fix them with file:line context.

Use the colorized triage in the terminal or JSON/SARIF for CI and AI. Profiles cover Next.js/React, Python, and Rails (experimental). See profiles in docs/PROFILES.md and the full capability matrix in docs/FEATURES.md.

At a glance

  • Security, accessibility, links, and config checks across Next.js/React, Python, Vue, and Rails (experimental)
  • Human-friendly triage: grouping, color, context, explanations, confidence scores
  • Baselines and inline suppressions for low-noise adoption
  • JSON and SARIF outputs for CI and AI; OSV caching for speed
  • Safe autofixes and optional PR creation; watch mode and changed-files gates

How Ubon Compares

Feature Ubon πŸͺ· ESLint npm audit Lovable Scanner
Hardcoded Secrets βœ… High accuracy ❌ No ❌ No ⚠️ Basic patterns
Supabase RLS Validation βœ… Deep analysis ❌ No ❌ No ⚠️ Shallow check
Vite Security βœ… Specialized ❌ No ❌ No ❌ No
Accessibility (a11y) βœ… Comprehensive ⚠️ Plugin only ❌ No ❌ No
AI-Generated Code Issues βœ… Purpose-built ❌ No ❌ No ⚠️ Limited
Link Validation βœ… External + Internal ❌ No ❌ No ❌ No
Placeholder Detection βœ… DEV001-005 ❌ No ❌ No ❌ No
Auto-Fix βœ… Safe fixes ⚠️ Some rules ❌ No ❌ No
Interactive Mode βœ… Guided debugging ❌ No ❌ No ❌ No
CI/CD Integration βœ… SARIF, JSON βœ… Yes βœ… Yes ⚠️ Limited
SQL Injection (Supabase) βœ… Query analysis ❌ No ❌ No ❌ No

TL;DR: Use ESLint for code style, npm audit for known CVEs, and Ubon for AI-generated code security.

The Reality of Debugging AI-Generated Code

Without Ubon

User: "The payment button doesn't work"

AI: "You're absolutely right! Let me fix that for you..."

regenerates the component

User: "Still broken"

AI: "I apologize! Let me try a different approach..."

adds more event handlers

User: "Nothing happens when I click"

AI: "I see the issue now! Let me update the onClick handler..."

rewrites the same broken logic

[3 hours later...]

User: "PLEASE JUST MAKE IT WORK"

AI: "I understand your frustration! Let me completely refactor..."

With Ubon

$ ubon check --group-by severity --min-severity medium

πŸͺ· Ubon β€” Triage
High: 1 error   Medium: 1 warning

HIGH
  ❌ SEC003 Hardcoded OpenAI key (lib/ai.ts:12)
     fix: Move key to OPENAI_API_KEY env var

MEDIUM
  ⚠️ A11Y001 Image without alt attribute (components/Hero.tsx:22)
     fix: Add alt="" or a short descriptive text

Result: Issues fixed in minutes, not hours.

About me and Ubon

Hi, I'm Luisfer Romero Calero, an experienced software engineer passionate about building products and being creative. I created Ubon in six days, obsessed with solving a problem I kept seeing everywhere: the current wave of AI-generated "vibe-coded" apps that, while incredibly quick to build, are frustrating to deploy and use because AI overlooks so many essential details.

The explosion of AI-generated apps through tools like Lovable, Replit, Cursor and Windsurf has democratized software creation. But it's also created a quiet reliability crisis. Non-technical users prompt AI with "this doesn't work!!!" without knowing what to check, they don't have the vocabulary to prompt precisely, and AI assistants miss the non‑obvious issues that slip past linters: hardcoded secrets, broken links, accessibility failures, and those subtle security vulnerabilities that only surface in production.

I built Ubon after realizing that instead of fighting this AI-powered wave, we should embrace it and make it better. Think of Ubon as a safety net for the age of AI-generated code, a gentle guardian that catches what traditional tools miss. It works seamlessly with the standard Next.js/React repos that agentic AI tools create by default, as well as Python projects and Vue.js ones.

My hope is that Ubon becomes so essential it gets baked into Cursor, Windsurf, and other AI coding tools, automatically scanning every vibe-coded creation before it hits production. Because when anyone can ship software, everyone needs peace of mind.

Ubon means lotus in Thai, inspired by Ubon Ratchathani province where someone very special to me is from. The lotus represents the clarity and peace of mind this tool brings to debugging.

Quick Start

Installation

npm install -g ubon

Basic Usage

ubon check                    # Quick static analysis
ubon scan --interactive       # Guided issue walkthrough
ubon check --ai-friendly      # JSON output for AI agents
ubon explain SEC001           # Learn about a specific rule

What's New in v2.0.0

Vibe Code Detection β€” 4 new rules for AI-generated code:

  • VIBE001: Hallucinated imports β€” packages not in package.json
  • VIBE002: Copy-paste artifacts β€” repeated code blocks
  • VIBE003: Incomplete implementations β€” placeholders, stubs, "Not implemented"
  • VIBE004: Orphaned exports β€” unused exports

New Features:

  • Security Posture Score: 0-100 score with visual bar
  • --preview-fixes: See diff-like preview before applying fixes
  • confidenceReason: Each finding explains its confidence level
  • ubon explain <rule>: Get detailed info about any rule
  • Cursor Integration: docs/CURSOR.md guide and .cursor/rules/
  • All scanners exported: Use any scanner programmatically
# Preview what would be fixed
ubon check --preview-fixes

# See security posture score
ubon check
# πŸͺ· Security Posture: 85/100 [β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘]

# Learn about a specific rule
ubon explain SEC001
ubon explain VIBE003

See docs/CURSOR.md for Cursor integration guide and CHANGELOG.md for previous releases.

Commands

ubon check                              # Quick static analysis
ubon scan                               # Full scan with link checking
ubon scan --interactive                 # Guided issue walkthrough
ubon check --git-changed-since main     # Scan only changed files (CI)
ubon check --apply-fixes                # Apply safe auto-fixes
ubon check --preview-fixes              # Preview fixes before applying
ubon explain <rule>                     # Detailed info about a rule

Output formats:

ubon check --json                       # JSON for AI agents
ubon check --sarif results.sarif        # SARIF for GitHub code scanning
ubon check --format table               # Table for quick triage

See docs/CLI.md for full reference.

Configuration

ubon init                    # Generate project config
ubon check --update-baseline # Suppress existing issues, focus on new code

Config file (ubon.config.json):

{
  "profile": "next",
  "minConfidence": 0.8,
  "failOn": "error",
  "disabledRules": ["SEC018"]
}

See docs/CONFIG.md for full options.

Documentation

Requirements

  • Node.js 16+
  • Git (for --git-changed-since)
  • Python 3.x (for Python scanning)

License

MIT β€” see LICENSE.

About

Peace of mind for vibe-coded apps

www.npmjs.com/package/ubon

Topics

react python security typescript nextjs vibe-coding vibe-coding-assistant

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

47 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases 10

v2.0.0 β€” The Vibe Code Edition Latest
Feb 1, 2026
+ 9 releases

Packages

 
 
 

Contributors

Languages