Skip to main content
Prowler for Vercel scans teams and projects for security misconfigurations, including deployment protection, environment variable exposure, WAF rules, domain configuration, team access controls, and more.

Prerequisites

Set up authentication for Vercel with the Vercel Authentication guide before starting:
  • Create a Vercel API Token with access to the target team
  • Identify the Team ID (optional, required to scope the scan to a single team)

Prowler CLI

Step 1: Set Up Authentication

Follow the Vercel Authentication guide to create an API Token, then export it: 
export VERCEL_TOKEN="your-api-token-here"
Optionally, scope the scan to a specific team: 
export VERCEL_TEAM="team_yourteamid"

Step 2: Run the First Scan

Run a baseline scan after credentials are configured: 
prowler vercel
Prowler automatically discovers all teams accessible with the provided token and runs security checks against them.

Step 3: Filter the Scan Scope (Optional)

Filter by Team

To scan a specific team, set the VERCEL_TEAM environment variable with the Team ID or slug: 
export VERCEL_TEAM="team_yourteamid"
prowler vercel
When no team is specified, Prowler auto-discovers all teams the authenticated user belongs to and scans each one.

Filter by Project

To scan only specific projects, use the --project argument: 
prowler vercel --project my-project-name
Multiple projects can be specified: 
prowler vercel --project my-project-name another-project
Project IDs are also supported: 
prowler vercel --project prj_abc123def456

Step 4: Use a Custom Configuration (Optional)

Prowler uses a configuration file to customize provider behavior. The Vercel configuration includes: 
vercel:
  # Maximum number of retries for API requests (default is 3)
  max_retries: 3
To use a custom configuration: 
prowler vercel --config-file /path/to/config.yaml

Supported Services

Prowler for Vercel includes security checks across the following services:
ServiceDescription
AuthenticationToken expiration and staleness checks
DeploymentPreview deployment access and production stability
DomainDNS configuration, SSL certificates, and wildcard exposure
ProjectDeployment protection, environment variable security, fork protection, and skew protection
SecurityWeb Application Firewall (WAF), rate limiting, IP blocking, and managed rulesets
TeamSSO enforcement, directory sync, member access, and invitation hygiene