Vercel

Live audit of your Vercel project — preview-deploy protection, prod-secret leaks to Preview env, custom-domain verification. The misconfigurations a repo scan can't see.

Available on the Growth tier. Read-only Vercel API access — we never mutate your project, deployments, or env.

Why this matters

Vercel ships fast by default. The flip side is that the same deploy speed makes it easy to leak a production secret into the Preview env, ship without password-protect on a pre-launch public preview, or miss that your custom domain is still unverified the morning of launch. None of that is in the repo. The Vercel project is.

Connect Vercel

01

Install the PulseLight Vercel integration.

Project settings → Connected platforms VercelInstall. You’re redirected to Vercel’s install consent screen.

02

Pick the team + project.

Choose the team and the specific project this PulseLight workspace ships against. Other projects in the team remain invisible to PulseLight.

03

First scan.

Findings roll into the Stable and Secure pillars on the next scan.

What we verify

  • Production env hygiene

    Cross-references your repo’s declared production env vars against what Vercel actually has set on the Production target. Missing required env (e.g. code references DATABASE_URL but Vercel doesn’t have it in Production) → blocker.

  • Prod-secret leaks to Preview

    For env vars whose names look like prod secrets (STRIPE_SECRET_KEY, SUPABASE_SERVICE_ROLE_KEY), we flag any that are also set on the Preview target with the same value. Easy mistake; ugly when it happens.

  • Preview deploy protection

    For pre-launch projects, Vercel’s Deployment Protection setting should be enabled on Preview. Public preview URLs that anyone can crawl pre-launch — especially with admin routes — surface as a blocker.

  • Custom domain verification

    We check that your declared production domain is verified on Vercel. Unverified domains the morning of launch are common and avoidable.

  • Build / runtime errors on the latest deploy

    We sample the most recent prod deploy’s build log and runtime errors. Failed deploys silently rolled back to the previous commit are an emergency we’d rather you know about before a real user hits them.

Common findings

VERCEL-PREVIEW-001 — Prod secret leaked to Preview env
  Project: acme-saas (team: acme)
  Env var: STRIPE_SECRET_KEY
  Targets: Production, Preview, Development
  Why:     A Preview deploy URL (often unauthenticated) can
           hit your live Stripe account. Anyone with the
           preview link can charge real money.
  Fix:     Remove from Preview + Development targets. Set a
           test-mode key on those targets if needed.

VERCEL-DOMAIN-001 — Custom domain unverified
  Project: acme-saas
  Domain:  app.acme.com
  Status:  Unverified (DNS records not pointing at Vercel)
  Why:     Your launch announcement points users at a domain
           that won't resolve. Avoidable.
  Fix:     Update DNS per Vercel's domain settings page.

What we don’t do

We never read env values. The integration tells us env var names + which targets they’re set on; values stay opaque. We never trigger deploys, never modify project config, never touch your team settings.

Disconnect

From Settings → Connected platforms → Vercel, click Disconnect. You can also remove the PulseLight integration from your Vercel team’s integrations panel directly.

See also: Connected Checks overview.