VibeCode QA

Home Skills Tool Decisions Compare TS + React Node.js Flutter

Tool Decisions & Transparency

What tools we use, what we built ourselves, and why. Open by design.

Last updated: 2026-05-25

Our Philosophy

Present, score, trend — don't reimplement. We delegate to the best-in-class tool for each job. Our value is the unified view: one command, one score, one report across everything. When the dedicated tool isn't installed, we fall back to built-in heuristics so you always get a result.

Decision Matrix

Category	Chosen Tool	Fallback	Why This One
Linting	biome or eslint	—	Auto-detected from project config. Biome is fastest; ESLint has 4000+ plugins. We run whichever you have.
Type Checking	tsc	—	The only real TypeScript type checker. No alternative exists.
Test Execution	vitest or jest	—	Auto-detected. We run your test runner with JSON reporter + coverage.
Secret Detection	gitleaks	built-in (14 regex)	26K GitHub stars, MIT, 800+ patterns, scans git history. Fastest for pre-commit.
Duplication	jscpd CLI	built-in (@jscpd/core)	Token-based (Rabin-Karp), maximal clones. The built-in fallback runs jscpd's own `@jscpd/core` engine over our lightweight tokenizer — same algorithm, ~100 KB instead of the full 2.5 MB language-grammar tokenizer. The opt-in CLI adds 223-format tokenizing + HTML reports.
Dep Vulnerabilities	npm audit	—	Zero install, built into every Node.js. For deeper coverage, install Snyk or Socket.
React Hooks	eslint-plugin-react-hooks	built-in (regex)	Authoritative (maintained by React team), AST-based, catches all hook violations.
Accessibility	eslint-plugin-jsx-a11y	built-in (regex)	Static a11y checking at lint-time. For runtime testing, add axe-core.
Security (SAST)	eslint-plugin-security	built-in (36 CWE patterns)	When installed, adds ReDoS, timing attacks, non-literal fs/require. Built-in covers OWASP Top 10: XSS, injection, CORS, credential storage, cookies, redirects. Semgrep/CodeQL for deeper analysis.
Architecture	VibeCode QA (unique)	—	Import graph + 6 interactive diagrams. No other tool does this for JS/TS at zero-config.
AI Readiness	VibeCode QA (unique)	—	Token density, naming confusion, context sink analysis. Nobody else measures this.
Dead Code	knip	—	30K+ stars, used by Vercel. Finds unused files, exports, and dependencies. Auto-detected if installed.
Dart/Flutter	dart analyze	—	Official Dart static analyzer. Detects type errors, lint rules, and deprecated API usage.
Complexity	VibeCode QA	—	Per-function cognitive complexity + line count. Complements biome's file-level check.
License Compliance	VibeCode QA	—	Scans node_modules for copyleft licenses (GPL, AGPL, SSPL). Flags unknown licenses. license-checker for deeper audit.
Coverage Ingestion	VibeCode QA	—	Reads existing `coverage-summary.json` or `lcov.info`. Works with `--skip-tests`.

Tools We Evaluated But Didn't Choose

TruffleHog Not default

Why not: Gitleaks is faster for our use case

TruffleHog's killer feature is credential verification (checking if leaked secrets are still active). That's valuable but slow — it makes network calls. For a fast CLI scan, Gitleaks' regex-only approach runs in milliseconds. Recommendation: use TruffleHog in CI/CD for deeper scans.

Semgrep Not bundled

Why not: Requires Python, too heavy for zero-config

Semgrep has 3000+ community rules and proper AST pattern matching — far more accurate than our regex. But it requires Python/Docker and takes 10-30s to install. Our goal is zero-config: npx @vibecodeqa/cli should work instantly. We recommend Semgrep as a "go deeper" tool for security-critical projects.

CodeQL GitHub-only

Why not: Can't run locally, GitHub-only

CodeQL does deep data-flow analysis (tracking tainted input from source to sink) that regex can never match. But it only runs on GitHub Actions and requires a compiled database. We output SARIF that CodeQL can consume, so teams can use both.

SonarQube Needs server

Why not: Requires self-hosted server, 4GB+ RAM

SonarQube is the enterprise standard with 5000+ rules. But it needs a running server (Java, PostgreSQL, 4GB RAM minimum). We're a CLI that runs in 5 seconds. Different philosophy. For enterprises that want SonarQube depth + our architecture diagrams, we complement rather than compete.

Oxlint Too narrow

Why not: Linter-only, no formatter, fewer rules than Biome

Oxlint is 2x faster than Biome for linting. But it's intentionally narrow — no formatter, no import sorting. Biome gives the full package in one tool. We auto-detect whichever linter you use, including Oxlint if configured.

Fallow Overlapping scope

Why not: Similar scope to VibeCode QA

Fallow is a Rust-native codebase intelligence tool for TS/JS with unused code, duplication, circular deps, and complexity analysis. It's fast and has MCP/agent integration. We see it as a peer rather than a tool to delegate to — similar philosophy, different execution. Users can choose either or use both (Fallow for real-time agent queries, VibeCode QA for scoring + reports).

Socket.dev Not free enough

Why not: Best supply-chain protection but limited free tier

Socket intercepts malicious packages BEFORE install — behavioral analysis, not just CVE database. It's the future of dependency security. But the free tier is limited. We use npm audit (free, zero-config) and recommend Socket as an upgrade for production apps.

What We Built Ourselves (and Why)

Architecture Analysis Unique

Import graph construction, circular dependency detection, god module identification, fan-in/fan-out metrics, package stability (Martin), and 6 interactive SVG diagrams. No existing tool provides this at zero-config for JS/TS monorepos.

AI Readiness Checks Unique

Confusion Index: Levenshtein filename similarity, synonym detection, export collisions, generic variable names. Measures how likely an LLM is to edit the wrong file or call the wrong function.

Context Density: Token count per file, import depth, circular dependency impact on context windows. Measures how expensive each file is for an AI to understand.

Monorepo Understanding Unique

Auto-detects pnpm/npm/yarn/bun/lerna/melos workspaces, Turborepo, Nx. Handles YAML with comments, flow-style syntax, and negation patterns. Shows the repo structure on the overview page BEFORE assessing it. All checks are workspace-aware — they scan packages/*/src/, not just root src/. Framework detection aggregates deps from all workspace packages.

Test Coverage Map Unique

Visual SVG diagram showing every module as a box — green (✓ tested) or red (✗ untested) — grouped by directory with a coverage percentage bar. Shows at a glance where test coverage gaps are.

Composite Scoring Unique

34 checks (25 core + 9 Pro) weighted to 100 points. Composite = Σ(check × weight) / Σ(weight). Skipped checks excluded. All scoring proportional to codebase size — no absolute-count cliffs. Best-practices uses severity-weighted penalties (error=15, warning=8, info=2) so missing nice-to-haves don't tank your score. A single 0-100 score with grade (A-F) that trends over time.

CI & Platform Integration Unique

Config file: .vcqa.json to disable checks, ignore paths, set per-check exclusions, and configure thresholds.

PR comments: --pr-comment posts score, trend, and top issues as a GitHub PR comment (upsert, no duplicates).

Diff mode: --diff main filters issues to only changed files — see what your PR introduced.

Output modes: --markdown, --annotations (GitHub Actions inline), --sarif, --json, --badge.

Badge API: <img src="api.vibecodeqa.online/badge/org/repo.svg"> — embeddable anywhere.

Integration API: GET /api/v1/repos/:owner/:repo/latest and POST /api/v1/scan for platform integrations.

Ecosystem Gaps We Fill

Research into what existing tools miss — the gaps that informed our roadmap.

Gap	Status	How
Dead code / unused exports	Delegated	Knip integration (30K+ stars, used by Vercel). Auto-detected, reports unused files, exports, deps.
AI-generated code slop	Unique	Our confusion + context checks catch AI-generated naming ambiguity, unnecessary complexity, and over-imported deps.
Architecture drift	Unique	6 interactive diagrams + stability metrics. Trend over time shows when architecture degrades.
Naming consistency	Unique	Levenshtein filename similarity, synonym detection, export collision analysis across the codebase.
Documentation coherence	Planned (Pro)	LLM-powered comparison of README/JSDoc vs actual code behavior. Detects docs that lie.
API boundary health	Planned (Pro)	Track exported interface changes between versions. Detect breaking changes in monorepo packages.
Cross-service dependency detection	Planned	In monorepos, detect breaking changes between packages before they ship.
Vue/Svelte SFC analysis	Implemented	Script extraction for logic checks, template scanning for a11y + security (v-html, {@html} XSS).
Security headers (Helmet)	Implemented	Checks for Helmet.js or manual security headers. Warning for Express/Fastify/Hono without X-Content-Type-Options, HSTS, X-Frame-Options.
Input validation	Implemented	Checks for Zod, Joi, Yup, Valibot, class-validator, ajv. Warning for API projects with no validation library.
Production readiness	Implemented	Health endpoints (/health, /healthz), graceful shutdown (SIGTERM handler), start script, error tracking (Sentry/Bugsnag).
Error info leakage	Implemented	Detects `res.json({ error: err.stack })` — sending internal error details to clients. OWASP Error Handling.
CORS misconfiguration	Implemented	Permissive `Access-Control-Allow-Origin: "*"`. OWASP CORS Testing.
GitHub Actions security	Implemented	10 checks: pwn requests (pull_request_target + checkout), script injection (untrusted input in run: blocks), write-all permissions, secrets in global env, unpinned actions, self-hosted without containers. Ref: GitHub Security Blog.

What We Evaluated But Chose Not To Check (And Why)

We reviewed every major security checklist (OWASP Top 10, OWASP Node.js Cheat Sheet, Security Journey Checklist, Node.js Security Best Practices) and chose not to add these checks. Here's why:

Rate limiting middleware Not added

Why not: Requires semantic understanding of middleware chain

Rate limiting is critical for production APIs, but detecting it statically is unreliable. Some projects use Cloudflare/AWS WAF at the infrastructure level, others use express-rate-limit, others use custom middleware. A regex check would either false-positive (flagging projects with CDN-level limiting) or false-negative (missing custom implementations). Recommendation: Install express-rate-limit or use your CDN's built-in rate limiting.

Session fixation / session management Not added

Why not: Framework-specific, needs runtime context

Session fixation requires understanding how sessions are created and regenerated after login — this depends on which session library is used (express-session, iron-session, lucia, etc.) and how it's configured. Static analysis can't reliably detect "session not regenerated after auth" without understanding the auth flow. Recommendation: Use Lucia or Auth.js which handle session regeneration automatically.

Structured logging Not added

Why not: Can't distinguish debug logs from production logging

We already flag console.log in the standards check. But whether a project uses structured logging (pino, winston) vs console is a preference, not a security issue. Many Cloudflare Workers and edge functions use console.log because the platform captures it as structured logs automatically. Flagging "no pino installed" would be a false positive for serverless projects. Recommendation: Use pino for Node.js servers that need log aggregation.

JWT token expiry and algorithm validation Not added

Why not: High false positive rate, needs runtime context

Checking if jwt.sign() includes expiresIn seems simple, but many projects set expiry in a config file, environment variable, or wrapper function — not at the call site. Flagging every jwt.sign() without seeing the full config would produce false positives. Similarly, algorithm choice (RS256 vs HS256) depends on the auth architecture. Recommendation: Use Auth.js or jose which enforce secure defaults.

CSP at framework level Not added

Why not: Too many valid approaches to detect reliably

Content Security Policy can be set via meta tag (we check index.html for this), Helmet.js middleware (we check for this), CDN headers (Cloudflare, Vercel), or deployment config (vercel.json, _headers). A project using Cloudflare Pages with CSP headers in its dashboard would be flagged as "missing CSP" even though it's properly configured. We check the two most common approaches and leave infrastructure-level CSP to the user. Recommendation: Use Google's CSP Evaluator to validate your policy.

bcrypt/argon2 for password hashing Not added

Why not: Most projects don't hash passwords locally

We already detect weak hashing (MD5/SHA1). But checking "bcrypt is in deps" would false-positive on projects using OAuth/social login (no local passwords), Cloudflare Workers (bcrypt requires native bindings), or managed auth services (Auth0, Clerk, Supabase Auth). If you hash passwords locally, use bcrypt or argon2.

Bundle size analysis Not added

Why not: Requires build step, not static analysis

Measuring actual bundle size requires running the build (Vite, webpack, esbuild), which adds 10-30 seconds and may fail without environment setup. We detect heavy dependencies and barrel imports statically (in the performance check), which catches the root causes without needing a build. For actual bundle analysis, use rollup-plugin-visualizer or Bundlephobia.

For Each Stack

TypeScript + React (Vite/Next.js)

What	Tool	Install
Lint + Format	biome	`pnpm add -D @biomejs/biome`
Type Check	tsc	(included with typescript)
Tests	vitest	`pnpm add -D vitest`
React Hooks	eslint-plugin-react-hooks	`pnpm add -D eslint eslint-plugin-react-hooks`
Accessibility	eslint-plugin-jsx-a11y	`pnpm add -D eslint-plugin-jsx-a11y`
Secrets	gitleaks	`brew install gitleaks`
Dead Code	knip	`pnpm add -D knip`
Duplication	jscpd	`pnpm add -D jscpd`
E2E	Playwright	`pnpm add -D @playwright/test`
Security SAST	eslint-plugin-security	`pnpm add -D eslint-plugin-security`
Security Headers	helmet	`pnpm add helmet`
Input Validation	zod	`pnpm add zod`

Vue + Nuxt

What	Tool	Install
Lint + Format	biome	`pnpm add -D @biomejs/biome`
Vue Lint	eslint-plugin-vue	`pnpm add -D eslint eslint-plugin-vue`
Type Check	vue-tsc	`pnpm add -D vue-tsc`
Tests	vitest	`pnpm add -D vitest @vue/test-utils`
Secrets	gitleaks	`brew install gitleaks`
Dead Code	knip	`pnpm add -D knip`

TypeScript + Node.js (API/Worker)

What	Tool	Install
Lint + Format	biome	`pnpm add -D @biomejs/biome`
Type Check	tsc	(included with typescript)
Tests	vitest	`pnpm add -D vitest`
Security	semgrep (CI)	`pip install semgrep` or Docker
Secrets	gitleaks	`brew install gitleaks`
Deps	socket + npm audit	`pnpm add -D socket`
Security SAST	eslint-plugin-security	`pnpm add -D eslint-plugin-security`
Security Headers	helmet	`pnpm add helmet`
Input Validation	zod	`pnpm add zod`

Dart + Flutter

What	Tool	Install
Lint	dart analyze	(included with Dart SDK)
Format	dart format	(included with Dart SDK)
Tests	flutter_test / dart test	(included)
Secrets	gitleaks	`brew install gitleaks`
Deps	dart pub outdated	(included)

MCP Server for AI Agents

@vibecodeqa/mcp — Model Context Protocol Server

Gives AI coding agents (Claude Code, Cursor, Codex) real-time code health context. CodeScene's research shows AI fixes 90-100% of code health issues when given health data via MCP, vs only 20% without.

Setup: claude mcp add vcqa -- npx @vibecodeqa/mcp

Tools: vcqa_score, vcqa_scan, vcqa_file_health, vcqa_check, vcqa_explain

GitHub →

How to Get Maximum Score

Install the dedicated tools above. VibeCode QA auto-detects them and uses their output instead of built-in heuristics. More tools installed = more accurate results = higher confidence in your score.

npx @vibecodeqa/cli --top — shows your top issues with which tool found them.

GitHub · Dashboard · npm