Sample report — static demo data

acme-oss/parcel-tracker

Example output · no API request made · read-only · default branch main

Risky · 41/100Critical risk

Critical: 1
High: 1
Medium: 2
Low: 2
Passed: 7

Plain-English summary

These checks surfaced 5 items worth reviewing across metadata, hygiene files, dependencies, and risk indicators. At least one finding involves potentially exposed credentials or unmaintained-project risk — review those first. This report covers only what these checks can see on the default branch.

Score breakdown

100 − penalties

Missing SECURITY policy-3
Missing Dependabot config-3
package.json without a lockfile-7
Install-time lifecycle scripts present-7
Possible secret: OpenAI-style API key-25
Committed .env file-14

Repository metadata

Repository: acme-oss/parcel-tracker
Owner: acme-oss
Description: Self-hosted parcel tracking dashboard with carrier webhooks.
Primary language: TypeScript
Stars: 1,284
Forks: 96
Open issues: 23
Last push: 2026-05-28
Default branch: main
License: MIT
Files in tree: 412

Findings

6 items

F-06

Missing SECURITY policy

Hygiene

Without SECURITY.md, researchers have no sanctioned way to report vulnerabilities privately.

FixAdd SECURITY.md with a contact route for vulnerability reports.

Low

F-07

Missing Dependabot config

Hygiene

Dependencies will not receive automated update PRs, so known-vulnerable versions linger.

FixAdd .github/dependabot.yml to enable automated dependency updates.

Low

F-10

package.json without a lockfile

Dependencies

Without a committed lockfile, installs are not reproducible and dependency versions can drift silently — including to compromised releases.

FixCommit package-lock.json (or yarn.lock / pnpm-lock.yaml) to pin the dependency tree.

Medium

F-11

Install-time lifecycle scripts present

Risk indicators

Scripts that run automatically during `npm install` (postinstall) execute arbitrary code on every machine that installs this package. Legitimate uses exist, but this is also the main supply-chain attack vector.

package.json — scripts: postinstall

FixRead these scripts in package.json before installing. Consider `npm install --ignore-scripts` for a first look.

Medium

F-12

Possible secret: OpenAI-style API key

Risk indicators

A string matching a known credential pattern was found in a committed file. The value below is masked — RepoSentinel never displays real secrets.

examples/.env.backup:3 — sk-************************

FixTreat this credential as compromised: revoke and rotate it now, then remove it from git history.

Critical

F-13

Committed .env file

Risk indicators

Environment files typically hold credentials and configuration secrets. Committing one to a public repository exposes whatever it contains.

examples/.env.backup

FixRemove the file, rotate any credentials it held, and add .env to .gitignore. Note: the values remain in git history until it is rewritten.

High

Passed checks

7 items

Description present
License: MIT
Recently active
README present
LICENSE present
CI workflows present
Dependency manifests found

Scan limitations

read before trusting the score

L-01
Only the default branch is inspected — other branches, tags, and git history are not scanned. A secret removed from the latest commit may still exist in history.
L-02
Checks cover repository metadata, hygiene files, dependency manifests, and common risk-indicator filenames. The code itself is not reviewed, executed, or audited.
L-03
Dependencies are detected, not vulnerability-scanned. A committed lockfile says nothing about whether the pinned versions have known CVEs.
L-04
Secret detection is pattern-based on a handful of small committed files; it cannot find every credential and never inspects files over 20 KB.
L-05
A high score means these checks found little — it is not a statement that the project is trustworthy, maintained, or free of malicious code.

Read-only scan via the GitHub API. Nothing was cloned, installed, or executed. Secrets, if detected, are always masked.