Full SFC support. VibeCode QA extracts <script> for logic analysis and scans templates for security + accessibility.
npx @vibecodeqa/cli
npx @vibecodeqa/cli init # creates .github/workflows/vibecodeqa.yml npx @vibecodeqa/cli fix # auto-fix lint issues + show fix suggestions
Auto-detects: vue or nuxt in dependencies, Vite bundler, vitest/jest test runner.
| Part of SFC | What's Checked |
|---|---|
<script setup> | Type safety, complexity, duplication, error handling, imports, architecture graph |
<template> | Accessibility (img alt, click handlers), Security (v-html XSS) |
<style> | Not analyzed (CSS is out of scope) |
| Pattern | Severity | Why |
|---|---|---|
v-html="..." | Warning (CWE-79) | Renders raw HTML — equivalent to React's dangerouslySetInnerHTML. Sanitize user input with DOMPurify. |
| Pattern | Severity | Why |
|---|---|---|
<div @click> without role + @keydown | Warning | Non-interactive elements with click handlers exclude keyboard users. |
<img> without alt | Error | Images without alt text are invisible to screen readers. |
autofocus | Warning | Disorients screen reader users. |
Complexity, duplication, error handling, secrets, dependencies, architecture — all work on the extracted <script> content. Vue files appear in the import graph and architecture diagrams.
Nuxt is detected via nuxt in dependencies. When found:
.nuxt/ directory excluded from scanningapp/ directory included in source roots# Core pnpm add -D typescript @biomejs/biome vitest # Vue-specific ESLint (optional — enables deeper checks in lint runner) pnpm add -D eslint eslint-plugin-vue # Security brew install gitleaks # E2E pnpm add -D @playwright/test
v-for without :key (planned — currently only React's missing key is checked)Home · Tool Decisions · TS + React · Node.js · Flutter