Will It Vibe logoWill It Vibe?
CRYPTO-004Medium severity-8 points

SHA-1 hash algorithm in use

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A call constructs a SHA-1 digest. SHA-1 is deprecated for signatures and collision resistance. This flags SHA-1 usage that is not already on a line with credential naming.

Why it matters

SHA-1 is deprecated for collision resistance, so relying on it for signatures or integrity lets an attacker who controls part of the input forge a matching digest. Browsers and certificate authorities already rejected SHA-1 for exactly this reason. Code still using it for security checks inherits the same weakness.

How to fix it

Switch integrity and signature hashing to SHA-256 or SHA-3. SHA-1 can remain only for interoperability with an external system that mandates it, and that should be isolated and documented. Prefer a modern hash everywhere you have a choice.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks