Back to Home

Security Audit Report

Transparency report for FORGE v4.2.0

21/21 Checks Passed

Audit completed on February 4, 2026

100%
Security Score

Our Security Commitment

FORGE is built with security as a core principle. We understand that you're trusting us with your development workflow, and we take that seriously.

  • No malware, ever. FORGE contains no malicious code, backdoors, or hidden functionality.
  • Your secrets stay local. API keys and credentials are stored in .env.local on YOUR machine only.
  • Fully auditable code. Every line of FORGE is readable. No obfuscation, no minification of source.
  • Read-only access. You get read access to the repo. FORGE cannot write to your other repositories.

Detailed Security Checks

Code Security

5/5 passed
No hardcoded credentials

All API keys use environment variables

No malicious code patterns

No eval(), no obfuscated code, no suspicious network calls

No data exfiltration

FORGE does not send your code or data to external servers

No backdoors

All code is readable and auditable

Clean dependencies

No known vulnerable packages

Data Privacy

4/4 passed
No telemetry

FORGE does not collect usage data

No analytics tracking

We don't track what you build

Local secrets only

Your .env.local stays on your machine

No cloud sync

Your projects are never uploaded

Authentication & Access

3/3 passed
Read-only GitHub access

Buyers get pull (read) permission only

No write access to your repos

FORGE cannot modify your existing code

Revocable access

Remove yourself from the repo anytime

Generated Code Security

5/5 passed
XSS prevention

All templates use proper escaping

SQL injection prevention

Parameterized queries in all database code

CSRF protection

Built into generated Next.js apps

Secure headers

Security headers configured by default

Input validation

Zod schemas for all form inputs

Secrets Management

4/4 passed
.env.local never committed

Git-ignored by default

Example files use placeholders

xxx placeholders, not real keys

Secure prompting

Keys entered directly into .env.local

No key logging

Your secrets are never logged or displayed

Audit Methodology

This security audit was conducted using the following methods:

  • Static code analysis for credential patterns
  • Dependency vulnerability scanning
  • Manual code review of all files
  • Network traffic analysis during installation
  • Generated code security review

What FORGE Does NOT Do

Send your code to external servers
Store your API keys in the cloud
Track your usage or projects
Access your other repositories
Execute arbitrary remote code
Collect personal information
Install hidden dependencies
Modify files outside your project

Report a Security Issue

Found a security vulnerability? We take all reports seriously.

Contact us directly on Twitter/X (@Agentik_os) via DM for responsible disclosure. We'll respond within 24 hours.