Security scans

What Twenty checks in ZIP and GitHub snapshots before a kit goes live.

What we look for

  • Malware patterns and dangerous install hooks.
  • Committed secrets and live .env files.
  • Listing quality gaps - missing README, LICENSE, or .env.example.
  • Bloated archives with node_modules or build output.

Verdicts

Scans may return clean, suspicious (needs human review), or blocked. Blocked archives cannot be approved until you fix and resubmit.

Run the free Repo health scanner with `git ls-files` output before upload to catch documentation gaps early.