Security readiness before go-live

Security checks run read-only against your source tree, public build output, and package manager audit. Security findings account for 30% of the overall score.

Secret patterns

Up to 300 files matching **/*.{ts,tsx,js,jsx,json,env,yml,yaml,toml} are scanned (lockfiles excluded). Test files, fixtures, and lines containing placeholder text (example, changeme, your_key, etc.) are skipped.

Pattern IDNameSeverityExample match
cf-api-tokenCloudflare API tokenHighcf_… (20+ chars)
aws-access-keyAWS access keyHighAKIA + 16 alphanumeric
private-keyPrivate keyBlocker-----BEGIN … PRIVATE KEY-----
jwt-secretJWT secretHighjwt_secret = "…"
api-key-genericAPI keyHighapi_key = "…" (16+ chars)
stripe-secretStripe secret keyBlockersk_live_…
database-urlDatabase URLHighpostgres://user:pass@…
github-tokenGitHub tokenHighghp_…
Rotate exposed credentials immediately. Move secrets to Cloudflare dashboard secrets, wrangler secret, or your CI secret store. Never commit live keys.

Environment files

CF Ready flags these files when present in the repository:

Production secrets should live in the Cloudflare dashboard or Wrangler bindings, not in committed files.

CORS

The scanner looks for Access-Control-Allow-Origin: * combined with credentials: true in up to 100 TypeScript/JavaScript files. This wildcard-with-credentials pattern is flagged as high severity.

Source maps

Files matching public/**/*.map, dist/**/*.map, or build/**/*.map trigger a medium finding. Exclude .map files from production deployments or restrict access to prevent source disclosure.

Dependency audit

When available, CF Ready runs the package manager audit command:

Package managerCommand
npmnpm audit --json
pnpmpnpm audit --json
yarnyarn npm audit --json
bunbun pm audit

Critical vulnerabilities set finding ID security-critical-dependencies. When security.blockOnCriticalDependencies is true (default), this can block production-ready status even without blocker severity.

SARIF output

Every scan writes security-findings.sarif (SARIF 2.1.0) containing all open security-category findings. Severity maps to SARIF levels: blocker/high → error, medium → warning, low/info → note.

The GitHub Action uploads this file to GitHub code scanning via github/codeql-action/upload-sarif@v3.

Commands

cf-ready security-scan    # Security checks only
cf-ready scan             # Full scan including security + SARIF

Configure security.blockOnSecrets and security.blockOnCriticalDependencies in Configuration.