34 checks. Zero config. Full report in 5 seconds. Architecture diagrams, trend tracking, best practices audit, and LLM readiness analysis — built for how software is made in 2026.
npx @vibecodeqa/cli
npx @vibecodeqa/cli — auto-detects your stack (TS/JS, React, Dart/Flutter), runs 34 checks, generates a full report.
A-F grade with transparent weighted scoring. Every issue shows file, line, rule, and how to fix it.
Each run compares to the previous one. See score deltas, new issues, and what you fixed.
Every dimension of code quality, scored 0-100 with research-backed methodology
Project structure, lint (Biome/ESLint auto-detected), TypeScript types, type safety (as any counts), code standards (naming, file size, code smells, strict mode).
Cognitive complexity, duplication (jscpd), error handling (info leakage), React/Vue/Svelte patterns, accessibility, documentation, production readiness, GitHub Actions security (10 checks).
6 sub-dimensions: testing pyramid layers, pass/fail execution, statement/branch/line/function coverage, file pairing, assertion density vs mock ratio, Playwright/Cypress detection.
Import graph + 6 interactive SVG diagrams (dep graph, DSM, sequence, layer, package, container). Circular deps, god modules, coupling metrics. Performance: barrel imports, heavy deps, dead code (Knip).
Secret detection (delegates to gitleaks, 14 built-in patterns). 36 CWE-mapped patterns (XSS, injection, SSRF, CORS, credential storage, cookies, redirects). Delegates to eslint-plugin-security when installed. Dependency audit via npm audit.
Confusion Index — naming ambiguity that causes AI to edit the wrong code. Context Locality — file self-containment for LLM comprehension. Research: GPT-4o drops 28.6% with ambiguous names.
Auto-detects your tools. Dedicated analysis for each ecosystem.
Biome/ESLint, tsc, vitest/jest, Playwright. React hooks rules, JSX accessibility, component testing.
Full SFC support. Script extraction for logic checks, template scanning for a11y + security (v-html XSS).
Express/Hono/Fastify, Cloudflare Workers, error handling, security SAST, dependency audit, monorepo support.
dart analyze, flutter_test, pub outdated, melos workspaces. Full analysis adapted for the Dart ecosystem.
Create .vcqa.json to disable checks, ignore paths, set per-check exclusions, and configure quality thresholds.
--pr-comment posts score, trend, and top issues as a GitHub PR comment. Upserts to avoid duplicates.
--diff main filters issues to only changed files. See what your PR introduced, not inherited debt.
--markdown generates a clean markdown report. Pipe to clipboard, paste into docs, or attach to issues.
--annotations emits ::warning and ::error lines. Issues appear inline on PR diffs.
Embed <img src="api.vibecodeqa.online/badge/org/repo.svg"> in READMEs, dashboards, and store listings.
Install the VibeCode QA GitHub App to auto-scan every pull request — score and top issues as a PR comment, a pass/fail quality gate status check, and SARIF uploaded to the Security tab. Sets up the workflow for you on install.
A live code-health cockpit for your machine. Point it at a repo — it re-scans on every save and turns your report into interactive dashboards, with an AI copilot on every page.
Universal build for Apple Silicon & Intel · signed & notarized by Apple · all platforms & versions
Health, dependency graph, complexity, clones, types, lint, security, dependencies, tests, trends, and file activity — each a focused, interactive view over your report. Click any finding to jump straight to the file.
Runs @vibecodeqa/cli in the background and refreshes the instant you change a file. Your score, issues, and graphs stay live while you code — nothing to re-run.
A per-page chat that sees exactly what you're looking at. Ask it to explain the worst issue, read the source to validate a finding, draft a fix plan, write a note, or file a GitHub issue. Anthropic, OpenAI, or Gemini — your key, kept in your OS keychain. Every write is confirm-gated.
The macOS build is Developer ID–signed and notarized by Apple — it just opens, no Gatekeeper warning. Windows .msi/.exe and Linux .AppImage/.deb/.rpm ship alongside every release.
Prefer the terminal? npx @vibecodeqa/cli monitor runs a full-screen TUI version.
Give your AI coding agent real-time code health context via Model Context Protocol.
claude mcp add vcqa -- npx @vibecodeqa/mcp
Works with Claude Code, Cursor, and any MCP client. 7 tools: score, scan, file health, check details, explain, AI fix, delta.
Before editing: Agent calls vcqa_file_health to see existing issues.
After editing: Agent calls vcqa_score to verify it didn't degrade quality.
Understanding: Agent calls vcqa_explain to learn why a check flags something.
2025 was about speed. 2026 is about keeping AI-generated code safe and maintainable.
AI-generated code introduces 1.7× more issues than human-written code. 23.7% more security vulnerabilities. Double the code churn rate. Without guardrails, AI agents accumulate technical debt faster than humans can review it.
Layered guardrails: MCP servers give agents code health context in real-time. PR comments catch regressions before merge. Quality gates block deploys when score drops. Trend tracking shows if AI is improving or degrading your codebase over time.
Desktop Monitor app (signed & notarized) · AI Copilot · GitHub App (PR scans + quality gates) · MCP server · Config file · PR comments · Diff mode · Markdown output · GH Actions annotations · Badge API · Coverage ingestion · Monorepo support
AI code attribution (flag AI-generated commits) · Change risk hotspots (git churn × code health) · 30/60/90 day regression tracking · IDE extension
AI defect rate dashboard · Cross-service dependency detection · API surface stability tracking · Real-time MCP guardrails (block agent from degrading score)
The CLI is open source and always free. While we're in early access, the hosted dashboard, org views, and GitHub App are free too — the Team & Org prices below are the planned pricing.
Weights are visible. Every point of your score is explained.
Join developers who use VibeCode QA to catch bugs, reduce complexity, and keep their AI-assisted code clean.
npx @vibecodeqa/cli