Coverage transparency

VSRX

What VSRX checks

JavaScript/TypeScript-first release-readiness review with explicit limits.

Other ecosystems are included through manifest detection, not deep source parsing. VSRX is not a security audit, penetration test, or exhaustive vulnerability review.

500
file cap
512 KB
per-file cap
50
directory depth
5 min
scan timeout

Included today

Release-readiness checks

Secrets exposure

Sensitive filenames, credentialed connection strings, cloud keys, private key material, API keys, and token-like high-entropy assignments.

Dependency risk

JavaScript dependency manifests, unpinned ranges, install lifecycle scripts, committed npm audit evidence, OSV.dev live advisories, npm license classification, deprecated packages, and stale packages.

Unsafe configuration

Disabled TLS verification, auth bypass markers, insecure cookies, credentialed wildcard CORS, debug mode, and similar release-risk defaults.

Cloud infrastructure configuration

Terraform and CloudFormation checks for public exposure, missing encryption, and disabled security features in supported text files.