SHA-1 hash algorithm in use
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A call constructs a SHA-1 digest. SHA-1 is deprecated for signatures and collision resistance. This flags SHA-1 usage that is not already on a line with credential naming.
Why it matters
SHA-1 is deprecated for collision resistance, so relying on it for signatures or integrity lets an attacker who controls part of the input forge a matching digest. Browsers and certificate authorities already rejected SHA-1 for exactly this reason. Code still using it for security checks inherits the same weakness.
How to fix it
Switch integrity and signature hashing to SHA-256 or SHA-3. SHA-1 can remain only for interoperability with an external system that mandates it, and that should be isolated and documented. Prefer a modern hash everywhere you have a choice.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo