Security Finding — /cso Audit 2026-05-11
Severity: MEDIUM | Confidence: 8/10 | Status: VERIFIED
File: .github/workflows/deploy-site.yml ~line 29
What
VERCEL_DEPLOY_HOOK is expanded directly in a shell run: block via ${{ secrets.VERCEL_DEPLOY_HOOK }}.
Impact
If debug logging is enabled, the deploy hook URL (containing a token) could leak to workflow logs. Leaked token = unauthorized deployments.
Fix
Move to env: block:
- name: Deploy
env:
VERCEL_DEPLOY_HOOK: ${{ secrets.VERCEL_DEPLOY_HOOK }}
run: curl -X POST "$VERCEL_DEPLOY_HOOK"Immediate Actions
- Rotate the Vercel deploy hook
- Review deploy logs for unauthorized deployments
Found by /cso automated security audit
Security Finding — /cso Audit 2026-05-11
Severity: MEDIUM | Confidence: 8/10 | Status: VERIFIED
File:
.github/workflows/deploy-site.yml~line 29What
VERCEL_DEPLOY_HOOKis expanded directly in a shellrun:block via${{ secrets.VERCEL_DEPLOY_HOOK }}.Impact
If debug logging is enabled, the deploy hook URL (containing a token) could leak to workflow logs. Leaked token = unauthorized deployments.
Fix
Move to
env:block:Immediate Actions
Found by /cso automated security audit