VSRX release-readiness report
demo/acme-launch-app
This report summarizes static release-readiness evidence. It is not a security audit or penetration test.
- 2
- blockers
- 1
- high risk
- 1
- fix soon
- 84
- files checked
Top blockers
- Secret-like value detected.env.production
Secrets exposure in .env.production can block a safe release. Rotate the exposed value, remove it from source, and load it from the deployment secret store.
- Credentialed CORS wildcardsrc/server/cors.ts
Unsafe configuration in src/server/cors.ts can block a safe release. Replace wildcard CORS with an explicit production origin allowlist before release.
Fix checklist
- BlockerSecret-like value detected
Rotate the exposed value, remove it from source, and load it from the deployment secret store.
.env.production - BlockerCredentialed CORS wildcard
Replace wildcard CORS with an explicit production origin allowlist before release.
src/server/cors.ts - High RiskPackage install lifecycle scripts require review
Review install-time scripts and document why each script is required for release.
package.json - Fix SoonJavaScript dependencies are not locked
Commit a lockfile so dependency scans and release builds are deterministic.
package.json
Evidence detail
Blocker (2)
- Secret-like value detected.env.production
Matched API key assignment; value redacted.
- Credentialed CORS wildcardsrc/server/cors.ts
Matched wildcard origin with credentials enabled; value redacted where applicable.
High Risk (1)
- Package install lifecycle scripts require reviewpackage.json
Lifecycle scripts present: postinstall; commands redacted.
Fix Soon (1)
- JavaScript dependencies are not lockedpackage.json
package.json was found without npm, pnpm, or Yarn lockfile.
Informational (1)
- Dependency manifest detectedpackage.json
Detected package.json.