Direct answers before you hand anyone access to your code.

No, not by default. For now, the preferred starting point is read-only GitHub, GitLab, or Bitbucket access after we agree on scope.

When a review needs tooling that expects a filesystem, we may use a customer-owned workspace, Codespace, self-hosted runner, or other agreed environment. See access instructions.

Not as a public customer workflow today. We are building internal review and audit tooling, and a customer-run model is something we are actively thinking through.

We will not ask you to run an untrusted binary as a casual first step. Until that workflow is ready and documented, access is handled through read-only repo access, a customer-owned workspace, or a scoped source archive.

Yes. Read-only access is useful for architecture review, dependency manifests, CI configuration, auth flows, deployment files, and focused file inspection.

Some professional tools expect a filesystem. For those, we prefer running scans in your GitHub Actions runner, self-hosted runner, Codespace, or another environment you control.

We can review source archives, but we treat them as artifact reviews rather than repo reviews. A loose archive often requires more reconstruction work because entrypoints, dependencies, deployment assumptions, and ownership boundaries are unclear.

If we inspect the artifact ourselves, we use controlled intake, static review first, and an agreed deletion window. Do not include .env files, private keys, database dumps, customer uploads, production logs, or credentials.

Not by default. Unknown source archives and prototypes are untrusted input. We inspect statically first.

If execution is required, it should happen in a disposable sandbox with no host secrets, no network unless authorized, resource limits, timeouts, and a throwaway workspace.

No. Do not send secrets, passwords, tokens, private keys, PHI, cardholder data, customer records, or production credentials in the initial request.

If sensitive access is needed later, we scope the access, use least privilege, and prefer customer-controlled systems.

No. VibeChex reviews and audits are launch-readiness engagements focused on practical risk, evidence, remediation priority, and production readiness.

Dynamic testing, including OWASP ZAP or other active scans, only runs against approved targets with written authorization. If you need a formal penetration test, we can help identify where that fits, but VibeChex is not presenting these reviews as a formal pentest.

No. We can help identify technical and operational gaps that may matter for HIPAA, PCI DSS, SOC 2, GDPR, CCPA, customer security reviews, or vendor due diligence.

We are not legal counsel, a Qualified Security Assessor, a CPA/auditor, or a certifying body. We do not certify applications as HIPAA compliant, issue PCI assessments, provide SOC 2 attestations, or make legal compliance determinations.

Yes. We can work under a mutual NDA before sensitive repository, archive, infrastructure, or business context is shared. Customer IP remains customer IP.

Scope determines tooling. Examples may include our internal review tools, Trivy, Gitleaks, Semgrep, Checkov, Syft/Grype, OWASP ZAP, and Snyk or OSV when package ecosystems and credentials allow.

Tool output is evidence, not the final judgment. We normalize findings, remove noise, and order remediation by launch risk.

You receive a prioritized report with findings, severity, category, evidence, business impact, and recommended remediation order. Reviews include a readout and implementation estimate when appropriate.

The report is designed for builders who need to decide what blocks launch, what can wait, and what needs a deeper implementation scope.

Yes, when the scope fits. Post-audit implementation can include remediation, deployment, hosting, CI/CD, secrets management, backups, monitoring, and fractional CTO support.

Implementation engagements start at $5,000 and are scoped after we understand the findings, risk level, and launch goals.

Choose the $1,250 Launch Readiness Review when you have one app, one repo or artifact, one deployment target, and need a practical first risk picture before monetizing.

Choose the $2,500+ Production Audit when the app handles private data, payments, admin roles, multi-tenant behavior, deployed infrastructure, or enough ambiguity that a deeper evidence pass is warranted.

Usually no. A zip of loose scripts can be more work than a clean repo because we have to infer structure, dependencies, entrypoints, deployment assumptions, and what production even means for that artifact.

If you want us to handle an archive directly, expect audit-level scope unless the artifact is small, well documented, and clearly bounded.