Static files served from the repo root
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
express.static is pointed at '.', '..', a parent path, or process.cwd(), which serves source files, .env, and .git to any client.
Why it matters
Pointing express.static at '.', '..', or process.cwd() serves the entire project directory over HTTP. That exposes source code, package.json, .env files, and the .git directory to anyone who guesses the path, handing attackers your secrets and a map of the codebase. Static hosting should only ever expose a dedicated public folder.
How to fix it
Serve a specific, dedicated directory of public assets: express.static(path.join(__dirname, 'public')). Keep source, config, and secrets outside that directory. If some build output must be served, point at the build folder specifically, never the repo root or a parent path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo