npm registry auth token (_authToken)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A literal registry auth token was assigned to _authToken in a committed config, CI, or shell file. It authenticates to the registry and can publish packages.
Why it matters
A literal token assigned to _authToken authenticates to a package registry and can publish packages, a supply-chain risk. This commonly leaks when a CI script or Dockerfile writes the token into an npmrc-style config inline. Anyone with repo access gets the token.
How to fix it
Reference the token from an environment variable in the config line (for example _authToken=${NPM_TOKEN}) and supply it through a CI secret at build time. Never write the literal value. Revoke the exposed token with the registry.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo