Security Page

Purpose

The Security page shows project-level warnings and a security score. The score covers dotenv files, runtime profiles, connector config, and import sync state. Warnings can be ignored when a user intentionally accepts a known condition, then reviewed and restored later.

Warning sources

• Duplicate keys.
• Empty values outside .env.example.
• Real-looking secrets in .env.example.
• Public-prefixed names that look secret.
• Local production-looking secrets.
• Weak secret values when raw values are available.
• Missing required variables.
• Variable schema validation failures.
• Env files not covered by .gitignore.
• Missing runtime Keychain values.
• Runtime profile validation failures.
• Production runtime secrets without approval.
• Runtime secrets due for rotation.
• External secret provider references missing a reference.
• Stale, error, or unlinked imported env files.
• Missing .envvault.json connector config.

Score calculation

The score starts at 100. Active danger warnings reduce the score by 20 points each, warning-level issues by 8 points each, and informational issues by 3 points each. Ignored warnings are excluded from the active warning count and score until restored. The score never drops below 0.

Ignored warnings

• Each active warning has an Ignore action.
• Ignored warnings move into a dedicated table instead of a tab.
• The table shows warning details, scope, whether the issue is still detected, and when it was ignored.
• Restore moves the warning back into active checks and score calculation.
• Ignored warnings are stored as local project metadata and included in metadata backups.