SHA-1 used to hash a password or token
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A SHA-1 hashing call sits on the same line as password/token/secret naming. SHA-1 is a fast, unsalted primitive and is unfit for hashing credentials.
Why it matters
SHA-1 is a single fast pass with no salt and is deprecated for security use because collisions are practical. A leaked SHA-1 credential store is cracked almost as quickly as MD5. Tokens hashed this way offer little protection once the store is copied.
How to fix it
Move password verification to bcrypt, scrypt, or Argon2id with a per-user salt. For session or reset tokens, generate them from a cryptographically secure RNG and, if you must store a hash, use SHA-256 over a high-entropy random value rather than SHA-1. Migrate existing password hashes on next login.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo