Secrets exposure
Sensitive filenames, credentialed connection strings, cloud keys, private key material, API keys, and token-like high-entropy assignments.
Coverage transparency
What VSRX checks
Other ecosystems are included through manifest detection, not deep source parsing. VSRX is not a security audit, penetration test, or exhaustive vulnerability review.
Included today
Sensitive filenames, credentialed connection strings, cloud keys, private key material, API keys, and token-like high-entropy assignments.
JavaScript dependency manifests, unpinned ranges, install lifecycle scripts, committed npm audit evidence, OSV.dev live advisories, npm license classification, deprecated packages, and stale packages.
Disabled TLS verification, auth bypass markers, insecure cookies, credentialed wildcard CORS, debug mode, and similar release-risk defaults.
Terraform and CloudFormation checks for public exposure, missing encryption, and disabled security features in supported text files.