Frontend Key Confessional
What it is
A browser-facing file or public environment surface appears capable of exposing private tokens, service keys, or operational secrets.
This usually appears when generated code proves that a feature works but does not leave enough evidence that the launch boundary was checked.
How to fix it
Move secrets server-side, rotate exposed credentials, and replace public variables with scoped server endpoints.
- 1Move private token and service-key access out of browser-facing code.
- 2Rotate any credential that may have been exposed.
- 3Replace public variables with scoped server endpoints and smoke-test the public bundle.
How VibeAudit checks for this
VibeAudit checks this with Q0_EXTERNAL_SHALLOW public asset observations plus SAST_LOCAL_STRUCTURAL redacted secret-pattern evidence when local source or digest data is supplied. The free tier may show the surface name and an upgrade prompt, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.
Related failure modes
Check your public launch surface and keep unsupported scope visible.
Run Quick Scan