The 30 Vercel security checks Black Cat runs
Black Cat SSPM evaluates 30 security policies against your Vercel configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable and enforce SAML SSO for all team members
Remove the email domain auto-join setting to prevent automatic team membership
Reduce the number of team owners to the minimum required
Ensure all team members authenticate via SSO and remove non-SSO accounts
Scope access groups to specific projects instead of all projects
Split large access groups into smaller, more targeted groups
Reduce the scopes granted to overprivileged integrations to least privilege
Regenerate API tokens with an expiration date to limit the exposure window
Rotate stale API tokens that have not been used recently
Replace full-access tokens with scoped tokens granting only required permissions
Enable SSO or password protection on project deployments to prevent unauthorized access
Review and revoke unconfirmed team member invitations
Remove empty access groups that have no members
configuration
Enable deployment protection to restrict access to preview deployments
Enable strict deployment protection to cover all deployment types
Enable git fork protection to prevent unauthorized deployments from forks
Restrict environment variables to only the environments where they are needed
Verify domain ownership so Vercel can issue a valid SSL certificate
Renew the expiring domain to prevent service disruption
Review and remove or update integrations that have not been updated recently
Update log drain endpoints to use HTTPS to encrypt log data in transit
Disable automatic exposure of system environment variables to reduce information leakage
data leakage
Enable the sensitive environment variable policy to prevent secret exposure
Enable IP address hiding to prevent visitor IPs from appearing in logs
Disable public source visibility to prevent source code from being publicly accessible
Disable directory listing to prevent public browsing of directory contents
Convert sensitive environment variables to the encrypted secret type
Remove preview environment target from sensitive environment variables
logging
Configure a log drain to forward logs to an external monitoring service
Re-enable or fix disabled log drains to restore log forwarding