Security readiness before go-live
Security checks run read-only against your source tree, public build output, and package manager audit. Security findings account for 30% of the overall score.
Secret patterns
Up to 300 files matching **/*.{ts,tsx,js,jsx,json,env,yml,yaml,toml} are scanned (lockfiles excluded). Test files, fixtures, and lines containing placeholder text (example, changeme, your_key, etc.) are skipped.
| Pattern ID | Name | Severity | Example match |
|---|---|---|---|
cf-api-token | Cloudflare API token | High | cf_… (20+ chars) |
aws-access-key | AWS access key | High | AKIA + 16 alphanumeric |
private-key | Private key | Blocker | -----BEGIN … PRIVATE KEY----- |
jwt-secret | JWT secret | High | jwt_secret = "…" |
api-key-generic | API key | High | api_key = "…" (16+ chars) |
stripe-secret | Stripe secret key | Blocker | sk_live_… |
database-url | Database URL | High | postgres://user:pass@… |
github-token | GitHub token | High | ghp_… |
wrangler secret, or your CI secret store. Never commit live keys.
Environment files
CF Ready flags these files when present in the repository:
.env,.env.local,.env.production,.env.development— medium severity- Missing
.env*rules in.gitignorewhen env files exist — high severity
Production secrets should live in the Cloudflare dashboard or Wrangler bindings, not in committed files.
CORS
The scanner looks for Access-Control-Allow-Origin: * combined with credentials: true in up to 100 TypeScript/JavaScript files. This wildcard-with-credentials pattern is flagged as high severity.
Source maps
Files matching public/**/*.map, dist/**/*.map, or build/**/*.map trigger a medium finding. Exclude .map files from production deployments or restrict access to prevent source disclosure.
Dependency audit
When available, CF Ready runs the package manager audit command:
| Package manager | Command |
|---|---|
| npm | npm audit --json |
| pnpm | pnpm audit --json |
| yarn | yarn npm audit --json |
| bun | bun pm audit |
Critical vulnerabilities set finding ID security-critical-dependencies. When security.blockOnCriticalDependencies is true (default), this can block production-ready status even without blocker severity.
SARIF output
Every scan writes security-findings.sarif (SARIF 2.1.0) containing all open security-category findings. Severity maps to SARIF levels: blocker/high → error, medium → warning, low/info → note.
The GitHub Action uploads this file to GitHub code scanning via github/codeql-action/upload-sarif@v3.
Commands
cf-ready security-scan # Security checks only
cf-ready scan # Full scan including security + SARIF
Configure security.blockOnSecrets and security.blockOnCriticalDependencies in Configuration.