This is a public repository. Test results contain sensitive operational data and must never be committed:
- API responses — full detection scores, threat assessments, metadata
- Timestamps — request/response timing that reveals system state
- Request metadata — session IDs, prompt IDs, agent context (if provided)
- Metrics — per-scenario verdicts that reflect system behavior
results/ # Full JSON results with per-scenario API responses
reports/ # Markdown reports with metrics and failure analysisBoth are in .gitignore — verify they never appear in git status.
- Run benchmarks locally or in private CI/CD systems
- Archive results in private storage (e.g., encrypted S3, internal systems)
- Share only metrics (recall %, FPR %, latency) in public discussions — never full result files
- Review
.gitignorebefore each commit: confirmresults/andreports/are excluded - Use
git check-ignoreif unsure:git check-ignore results/run_*.json git check-ignore reports/report_*.md
.envandredteam.tomlare gitignored (contain API keys, credentials)- Never commit credentials or API keys
- Use environment variables for sensitive config
- Generate test keys via VGE's functional key endpoint
- Export as
VGE_API_KEYenvironment variable (do not hardcode) - Rotate keys regularly in production systems
- Never log or display full API keys (use truncated format
vg_test_...)
Before committing:
git status # Verify no result files
git diff --cached # Review staged changes
git check-ignore results/ reports/ # Confirm .gitignore appliesAvoid:
- Committing
.jsonor.mdfiles fromresults/orreports/ - Logging API responses to stdout (captures sensitive data)
- Including example results in documentation