secure-vibe-kit
Advanced tools
Security-first Claude Code agents, commands, skills, and CI workflows for any project
Security-first Claude Code agents, commands, skills, and CI workflows — installable into any project with a single command.
| Folder | Contents |
|---|---|
.claude/agents/ | Security assessment agents (orchestrator, scanner, tracer, reporter, threat modeler) |
.claude/commands/ | 30+ slash commands for git workflow, CI, deployment, security scanning |
.claude/skills/ | Security implementation skills, awareness training, prompt engineering guides, lessons library |
.github/workflows/ | CI pipeline (lint, test, security audit, build) + Claude Code review automation |
scripts/timestamp-helper.sh | Consistent timestamp generation used by security agents |
CLAUDE.md | Git conventions, branch rules, commit format, slash command reference, security reminders |
# Install into your existing project
cd your-project
npx secure-vibe-kit init
# Update to latest version anytime
npx secure-vibe-kit update
# Check what's installed
npx secure-vibe-kit status
initFirst-time installation. Copies all files and appends a marker-delimited block to your CLAUDE.md.
If .claude/agents/ already exists, it will warn you and suggest update instead (use --force to override).
updateRefreshes all files to the latest version. Directories using replace mode are wiped and recopied fresh. The CLAUDE.md marker block is found and replaced in-place — your custom content outside the markers is preserved.
statusShows which components are currently installed in the project.
| Flag | Description |
|---|---|
--dry-run | Show what would be written without making changes |
--skip-claude-md | Skip the CLAUDE.md merge step |
--force | Overwrite without confirmation prompts |
The kit wraps its content in HTML comment markers:
<!-- BEGIN secure-vibe-kit -->
[kit content here]
<!-- END secure-vibe-kit -->
init: Appends the block to the end of your existing CLAUDE.md (or creates the file)update: Finds and replaces the existing block, leaving your custom content untouched| Target | Mode | Behavior |
|---|---|---|
.claude/agents/ | replace | Deletes and recreates the entire directory |
.claude/commands/ | replace | Deletes and recreates the entire directory |
.claude/skills/ | replace | Deletes and recreates the entire directory |
.github/workflows/ | merge | Copies kit workflows without deleting your own |
scripts/timestamp-helper.sh | file | Single file copy, preserves other scripts |
To sync the latest files from the parent repo:
cd secure-vibe-kit
./scripts/sync-from-source.sh
Then bump the version in package.json and publish:
npm version patch
npm publish
MIT
FAQs
Security-first Claude Code agents, commands, skills, and CI workflows for any project
We found that secure-vibe-kit demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
Research
/Security News
A malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry.
Security News
Feross Aboukhadijeh joins TBPN to discuss Socket's $60M Series C, 500%+ ARR growth, AI's impact on open source, and the rise in supply chain attacks.