UncategorizedVibe Coding Security385 lines
Real-Time Security Monitoring
Quick Summary14 lines
Most teams treat security scanning as a CI/CD gate — a check that runs after the code is pushed. By then, the vulnerability is committed, the secret is in git history permanently, and fixing it requires rewriting history or rotating credentials. The shift-left approach moves security scanning into the development loop: your editor, your pre-commit hooks, your local build. ## Key Points - repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/Yelp/detect-secrets - repo: https://github.com/PyCQA/bandit - repo: https://github.com/hadolint/hadolint - repo: https://github.com/bridgecrewio/checkov - id: no-raw-sql - id: no-cors-wildcard - id: no-eval
skilldb get vibe-coding-security-skills/real-time-security-monitoringFull skill: 385 linesPaste into your CLAUDE.md or agent config
Real-Time Security Monitoring
Most teams treat security scanning as a CI/CD gate — a check that runs after the code is pushed. By then, the vulnerability is committed, the secret is in git history permanently, and fixing it requires rewriting history or rotating credentials. The shift-left approach moves security scanning into the development loop: your editor, your pre-commit hooks, your local build.
This skill covers setting up security scanning at every stage — from your IDE to runtime monitoring in production.
The Dev Loop Security Stack
IDE (real-time) → Pre-commit (before commit) → CI (before merge) → Runtime (in production)
Each layer catches what the previous one missed. No single layer is sufficient.
Pre-Commit Hooks for Secrets
The most impactful security tool you can install. Catches leaked secrets before they enter git history.
Setup with pre-commit Framework
# .pre-commit-config.yaml
repos:
# Secret detection
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
# Additional secret patterns
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
# Security linting
- repo: https://github.com/PyCQA/bandit
rev: '1.7.7'
hooks:
- id: bandit
args: ['-c', 'pyproject.toml']
additional_dependencies: ['bandit[toml]']
# Dockerfile linting
- repo: https://github.com/hadolint/hadolint
rev: v2.12.0
hooks:
- id: hadolint
# YAML security (catches insecure k8s configs)
- repo: https://github.com/bridgecrewio/checkov
rev: '3.1.0'
hooks:
- id: checkov
args: ['--framework', 'kubernetes']
# Install and activate
pip install pre-commit
pre-commit install
# Run against all files (first time or audit)
pre-commit run --all-files
# Update hooks to latest versions
pre-commit autoupdate
Custom Secret Patterns
# .gitleaks.toml — custom rules for your project
[extend]
useDefault = true
[[rules]]
id = "custom-api-key"
description = "Custom API key pattern"
regex = '''(?i)(myapp[_-]?api[_-]?key|myapp[_-]?secret)\s*[=:]\s*['"]?[\w\-]{32,}'''
tags = ["key", "api"]
[[rules]]
id = "internal-url"
description = "Internal service URL"
regex = '''https?://internal\.\w+\.svc\.cluster\.local'''
tags = ["url", "internal"]
[allowlist]
paths = [
'''\.example$''',
'''test_.*\.py$''',
'''.*_test\.go$''',
]
IDE Extensions for Security
VS Code
// .vscode/extensions.json — recommend security extensions to the team
{
"recommendations": [
"snyk-security.snyk-vulnerability-scanner",
"SonarSource.sonarlint-vscode",
"redhat.vscode-yaml",
"ms-python.pylint"
]
}
// .vscode/settings.json — enable security checks
{
"sonarlint.rules": {
"javascript:S2068": { "level": "on" }, // Hardcoded credentials
"javascript:S5527": { "level": "on" }, // TLS verification
"javascript:S2245": { "level": "on" }, // Insecure random
"javascript:S5131": { "level": "on" } // XSS
},
"snyk.severity": {
"critical": true,
"high": true,
"medium": true,
"low": false
}
}
Semgrep (Language-Agnostic SAST)
# Install
pip install semgrep
# Run with community rules
semgrep --config auto .
# Run specific security rules
semgrep --config p/security-audit .
semgrep --config p/owasp-top-ten .
semgrep --config p/javascript .
# Create custom rules for your patterns
# .semgrep/custom-rules.yml
rules:
- id: no-raw-sql
patterns:
- pattern: db.query($SQL)
- pattern-not: db.query($SQL, $PARAMS)
message: "Use parameterized queries, not string-based SQL"
severity: ERROR
languages: [javascript, typescript]
- id: no-cors-wildcard
pattern: cors({ origin: '*' })
message: "CORS wildcard allows requests from any origin"
severity: WARNING
languages: [javascript, typescript]
- id: no-eval
pattern: eval(...)
message: "eval() executes arbitrary code — never use with user input"
severity: ERROR
languages: [javascript, typescript, python]
CI Security Pipeline
# .github/workflows/security.yml
name: Security Scan
on:
pull_request:
push:
branches: [main]
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6am
jobs:
sast:
name: Static Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Semgrep scan
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
.semgrep/
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
secrets:
name: Secret Detection
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for scanning
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
dependencies:
name: Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci
- run: npm audit --audit-level=high
- uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
container:
name: Container Scan
runs-on: ubuntu-latest
needs: [sast]
steps:
- uses: actions/checkout@v4
- run: docker build -t myapp:${{ github.sha }} .
- name: Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
severity: 'HIGH,CRITICAL'
exit-code: '1'
Runtime Security Monitoring
Application-Level Anomaly Detection
// Detect suspicious patterns in real time
class SecurityMonitor {
private redis: Redis;
private logger: Logger;
async trackRequest(req: Request): Promise<void> {
const ip = req.ip;
const userId = req.user?.id || 'anonymous';
const path = req.path;
// Track request rate per IP
const ipKey = `security:rate:${ip}`;
const ipCount = await this.redis.incr(ipKey);
if (ipCount === 1) await this.redis.expire(ipKey, 60);
if (ipCount > 100) {
this.logger.warn({ msg: 'High request rate', ip, count: ipCount });
// Could trigger automatic block
}
// Track failed auth attempts
if (path.includes('/auth/login') && req.method === 'POST') {
const failKey = `security:authfail:${ip}`;
// Incremented in error handler when auth fails
}
// Detect path traversal attempts
if (req.url.includes('..') || req.url.includes('%2e%2e')) {
this.logger.warn({
msg: 'Path traversal attempt',
ip,
url: req.url,
userId,
});
}
// Detect SQL injection attempts
const sqlPatterns = /('|"|;|--|\/\*|\*\/|union\s+select|drop\s+table)/i;
const fullUrl = req.originalUrl + JSON.stringify(req.body || {});
if (sqlPatterns.test(fullUrl)) {
this.logger.warn({
msg: 'Potential SQL injection',
ip,
url: req.originalUrl,
userId,
});
}
}
}
// Middleware
app.use(async (req, res, next) => {
await securityMonitor.trackRequest(req);
next();
});
Log-Based Alerting
// Structured security events for log aggregation
const SECURITY_EVENTS = {
AUTH_FAILURE: 'auth.failure',
AUTH_BRUTE_FORCE: 'auth.brute_force',
PATH_TRAVERSAL: 'security.path_traversal',
RATE_LIMIT_HIT: 'security.rate_limit',
PERMISSION_DENIED: 'security.permission_denied',
SUSPICIOUS_INPUT: 'security.suspicious_input',
} as const;
function securityEvent(
event: string,
details: Record<string, unknown>
) {
logger.warn({
security_event: event,
timestamp: new Date().toISOString(),
...details,
});
}
// Usage
securityEvent(SECURITY_EVENTS.AUTH_BRUTE_FORCE, {
ip: req.ip,
attempts: failCount,
targetEmail: maskedEmail,
});
// These events can be picked up by:
// - CloudWatch Logs Insights / GCP Cloud Logging
// - Datadog / Splunk / ELK queries
// - PagerDuty/OpsGenie alerting rules
CloudWatch Alert Example
{
"MetricFilters": [{
"filterName": "SecurityEvents",
"filterPattern": "{ $.security_event = \"auth.brute_force\" }",
"metricTransformations": [{
"metricName": "BruteForceAttempts",
"metricNamespace": "MyApp/Security",
"metricValue": "1"
}]
}],
"Alarms": [{
"alarmName": "BruteForceAlert",
"metricName": "BruteForceAttempts",
"threshold": 10,
"evaluationPeriods": 1,
"period": 300,
"statistic": "Sum",
"comparisonOperator": "GreaterThanThreshold"
}]
}
Continuous Monitoring Checklist
| Stage | Tool | What It Catches |
|---|---|---|
| IDE | SonarLint, Snyk | Vulnerabilities as you type |
| Pre-commit | gitleaks, semgrep | Secrets, insecure patterns |
| PR review | Semgrep CI, Snyk | New vulnerabilities in changes |
| Build | Trivy, npm audit | Dependency and container CVEs |
| Deploy | OPA/Gatekeeper | Policy violations in k8s manifests |
| Runtime | Custom monitors | Active exploitation attempts |
| Scheduled | Full repo scan | Drift, new CVEs in existing code |
Security scanning should never be a one-time event. It runs continuously, at every stage, catching different classes of vulnerabilities. The earlier you catch it, the cheaper it is to fix. A secret caught in pre-commit costs 30 seconds. The same secret found in production costs an incident response.
Install this skill directly: skilldb add vibe-coding-security-skills
Related Skills
AI-Specific Vulnerabilities
Vibe Coding Security•378L
Authentication and Authorization Patterns
Vibe Coding Security•369L
Container and Deployment Security
Vibe Coding Security•420L
Credential Management
Vibe Coding Security•391L
Database Security Hardening
Vibe Coding Security•323L
Dependency Supply Chain Security
Vibe Coding Security•362L