MODEL
Threat model → vulnerability classes.
The model identifies the AI-failure modes and the code patterns most likely to introduce SQLi, XSS, auth bypass, and memory-safety bugs. Pledge principle 3 lives here.
CISA SECURE-BY-DESIGN
Pledge-aligned guardrails for AI-assisted code shops.
The CISA Secure-by-Design pledge lists seven principles. VibeReview's threat-informed guardrails deliver evidence for each: reducing classes of vulnerability, MFA, default credentials, security patches, disclosure policy, CVEs, and evidence of intrusions.
14-day free trial · No card required
You prompting Cursor · services/metrics/client.py
"Wire the new metrics worker so it can call the events API."
VibeReview matched 3 SbD principles · invisibly - ✓ Principle 1 — service-to-service auth via short-lived workload tokens
- ✓ Principle 2 — no hardcoded secrets; pull from the vault per request
- ✓ Principle 6 — pin the events-api client to a CVE-clean version
from events_api import EventsClient # pinned: 4.2.1 (CVE-clean)
def call_events_api(payload: dict):
token = workload_identity.issue(
audience="events-api",
ttl_seconds=300,
)
client = EventsClient(
base_url=settings.EVENTS_URL,
bearer_token=token,
)
return client.post("/v1/events", json=payload)✓ No static secret. Token expires in 5 minutes. Client pinned to a known-clean release. Principles 1, 2, and 6 satisfied.
ENFORCE
Guardrails → MFA, defaults, patching.
Pledge principles 1 (MFA), 2 (default passwords), 4 (security patches) map to guardrails that enforce those patterns in code at prompt time.
EVIDENCE
PR review → CVE and disclosure evidence.
Pledge principles 5 (disclosure policy), 6 (CVEs), 7 (evidence of intrusions) tie to guardrail logs, dependency policy, and audit trail.
REPORT
Pledge progress report.
Per-principle coverage, per-principle evidence. Useful for the pledge progress report your team submits.
WHAT'S COVERED
CISA Secure-by-Design pledge principles and the VibeReview controls behind them.
Coverage maps each principle to specific guardrail behaviors and audit-log signals.
- Principle 1 — Multi-factor authentication: Guardrails enforce MFA hooks on every auth path. PR reviewer flags missing MFA on customer-facing entry points.
- Principle 2 — Default passwords: Guardrails on credential bootstrapping, no hardcoded secrets, secure-random credential generation.
- Principle 3 — Reducing entire classes of vulnerability: Threat-informed guardrails on SQL injection, XSS, SSRF, auth bypass, and memory-safety patterns per stack.
- Principle 4 — Security patches: Guardrails on dependency pinning, supply-chain checks, and CVE-aware policies.
- Principle 5 — Vulnerability disclosure policy: VibeReview itself publishes a disclosure policy at /security. Your guardrail-as-code repo can host yours alongside.
- Principle 6 — CVEs: Threat-model and guardrail logs feed CVE-issuance workflows. Per-PR evidence supports advisories.
- Principle 7 — Evidence of intrusions: Audit log captures security-relevant events. Exportable to your SIEM on Enterprise for intrusion correlation.
Get the CISA Secure-by-Design pledge mapping report.
We walk you through per-principle coverage and the evidence pack your team can submit alongside the pledge.