VibeScan: From Static Findings to Deterministic Local Proof Artifacts

Josh Obersteadt (Graceland University), Andrew Youssef (Graceland University), Kevin Brunner (Graceland University)

VibeScan is a JavaScript security tool built to test whether static scan findings can be made more useful through deterministic, local proof-oriented test generation. Traditional scanners are good at flagging risky patterns, but they often stop at warnings and leave developers to decide whether a finding is real, reproducible, and worth fixing first. VibeScan tries to close that gap by preserving structured scan context, including rule type, file location, route information, and taint metadata, and then using that information to generate local .test.mjs proof artifacts with proof metadata and actionability labels for supported vulnerability families. Instead of producing only warning lists, the tool aims to give developers repeatable local validation without needing a running API, a remote target, or an external AI service. We evaluated VibeScan on a scoped DVNA benchmark and compared it with Bearer, Snyk Code, eslint-plugin-security, and npm audit using static scan results, true/false positive and false negative adjudication, proof artifact generation, and actionability review. The results suggest that raw detection strength and proof-oriented actionability should be treated as separate evaluation dimensions, and that deterministic local proof artifacts can make supported findings easier to review, prioritize, and use in developer workflows and CI.