Vercel project has Git fork protection enabled to prevent untrusted forks from accessing secrets
project_git_fork_protection_enabled
Vercel projects are assessed for Git fork protection configuration, which controls whether pull requests from forked repositories can trigger deployments and access environment variables. When disabled, anyone who forks a public repository can submit a pull request that triggers a Vercel build with access to the project's environment variables, including secrets and API keys.
Risk
Without Git fork protection, an attacker can fork a public repository, modify the build process to exfiltrate environment variables (API keys, database credentials, third-party tokens), and submit a pull request. The Vercel build triggered by the PR would execute the attacker's code with access to the project's secrets, leading to credential theft and potential full system compromise.
prowler vercel --checks project_git_fork_protection_enabled
Recommendation
Enable Git fork protection to require explicit authorization before pull requests from forked repositories can trigger deployments. This prevents untrusted contributors from accessing environment variables and secrets through the build process. For open-source projects, review fork PRs manually before allowing builds.
Remediation
- Sign in to the Vercel dashboard
- Navigate to the project Settings > General
- Scroll to the 'Git Fork Protection' section
- Enable the option to require authorization for fork pull requests
- Click Save
Source Code
Resource Type
NotDefined