Skip to content

The 30 Vercel security checks Black Cat runs

Black Cat SSPM evaluates 30 security policies against your Vercel configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highSSO Not Enforced

Enable and enforce SAML SSO for all team members

mediumAuto Join Enabled

Remove the email domain auto-join setting to prevent automatic team membership

mediumExcessive Owners

Reduce the number of team owners to the minimum required

lowNon-SSO Member

Ensure all team members authenticate via SSO and remove non-SSO accounts

mediumOverly Broad Access

Scope access groups to specific projects instead of all projects

lowExcessive Members

Split large access groups into smaller, more targeted groups

highOverprivileged Integration

Reduce the scopes granted to overprivileged integrations to least privilege

highToken No Expiration

Regenerate API tokens with an expiration date to limit the exposure window

mediumToken Stale

Rotate stale API tokens that have not been used recently

highToken Overprivileged

Replace full-access tokens with scoped tokens granting only required permissions

highProject No Deployment Protection

Enable SSO or password protection on project deployments to prevent unauthorized access

mediumMember Unconfirmed

Review and revoke unconfirmed team member invitations

lowAccess Group Empty

Remove empty access groups that have no members

configuration

highDeployment Protection Disabled

Enable deployment protection to restrict access to preview deployments

mediumStrict Deployment Protection Disabled

Enable strict deployment protection to cover all deployment types

mediumFork Protection Disabled

Enable git fork protection to prevent unauthorized deployments from forks

lowNo Target Restriction

Restrict environment variables to only the environments where they are needed

highSSL Not Verified

Verify domain ownership so Vercel can issue a valid SSL certificate

mediumDomain Expiring Soon

Renew the expiring domain to prevent service disruption

mediumStale Integration

Review and remove or update integrations that have not been updated recently

mediumInsecure Log Drain

Update log drain endpoints to use HTTPS to encrypt log data in transit

mediumAuto Expose System Environment Variables

Disable automatic exposure of system environment variables to reduce information leakage

data leakage

mediumSensitive Env Var Policy Disabled

Enable the sensitive environment variable policy to prevent secret exposure

lowIP Visibility Enabled

Enable IP address hiding to prevent visitor IPs from appearing in logs

highPublic Source

Disable public source visibility to prevent source code from being publicly accessible

mediumDirectory Listing Enabled

Disable directory listing to prevent public browsing of directory contents

highPlain Text Secret

Convert sensitive environment variables to the encrypted secret type

mediumExposed to Preview

Remove preview environment target from sensitive environment variables

logging

mediumNo Log Drain

Configure a log drain to forward logs to an external monitoring service

highLog Drain Disabled

Re-enable or fix disabled log drains to restore log forwarding

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial