ECB cipher mode
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
ECB encrypts identical plaintext blocks to identical ciphertext, leaking structure. Use an authenticated mode such as GCM.
Why it matters
ECB mode encrypts each block independently, so identical plaintext blocks become identical ciphertext blocks and the structure of the data (the classic outline of an encrypted image) leaks. It also provides no integrity, so ciphertext can be cut and rearranged. This defeats the purpose of encrypting.
How to fix it
Use an authenticated mode: AES-GCM or ChaCha20-Poly1305, with a random IV/nonce per message and the authentication tag verified on decrypt. If you only have a raw block cipher, at minimum use CBC with a random IV plus a separate MAC, but AEAD is strongly preferred. Re-encrypt data currently stored under ECB.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo