Example report

VSRX

Client-ready sample

Shareable release report

VSRX release-readiness report

demo/acme-launch-app

This report summarizes static release-readiness evidence. It is not a security audit or penetration test.

FBlocked
2
blockers
1
high risk
1
fix soon
84
files checked

Top blockers

  1. Secret-like value detected.env.production

    Secrets exposure in .env.production can block a safe release. Rotate the exposed value, remove it from source, and load it from the deployment secret store.

  2. Credentialed CORS wildcardsrc/server/cors.ts

    Unsafe configuration in src/server/cors.ts can block a safe release. Replace wildcard CORS with an explicit production origin allowlist before release.

Fix checklist

  1. Blocker
    Secret-like value detected

    Rotate the exposed value, remove it from source, and load it from the deployment secret store.

    .env.production
  2. Blocker
    Credentialed CORS wildcard

    Replace wildcard CORS with an explicit production origin allowlist before release.

    src/server/cors.ts
  3. High Risk
    Package install lifecycle scripts require review

    Review install-time scripts and document why each script is required for release.

    package.json
  4. Fix Soon
    JavaScript dependencies are not locked

    Commit a lockfile so dependency scans and release builds are deterministic.

    package.json

Evidence detail

Blocker (2)

  • Secret-like value detected.env.production

    Matched API key assignment; value redacted.

  • Credentialed CORS wildcardsrc/server/cors.ts

    Matched wildcard origin with credentials enabled; value redacted where applicable.

High Risk (1)

  • Package install lifecycle scripts require reviewpackage.json

    Lifecycle scripts present: postinstall; commands redacted.

Fix Soon (1)

  • JavaScript dependencies are not lockedpackage.json

    package.json was found without npm, pnpm, or Yarn lockfile.

Informational (1)

  • Dependency manifest detectedpackage.json

    Detected package.json.