Insecure transport flag in a shell/CI command
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
curl -k / --insecure, wget --no-check-certificate, or git http.sslVerify=false disable certificate checks in scripts and pipelines.
Why it matters
curl -k, wget --no-check-certificate, and git -c http.sslVerify=false disable certificate validation for that command, so a script fetching code, packages, or data can be fed attacker-controlled content over a hijacked connection. In a build or deploy pipeline this can inject a malicious payload into your artifacts. It is usually a shortcut around a certificate warning.
How to fix it
Remove the insecure flag and fix the underlying trust issue: install the correct CA certificates in the image, or point the tool at the right CA bundle (curl --cacert, git http.sslCAInfo). If you are pulling from an internal host with a private CA, add that CA to the system trust store in the build. Never disable verification to make a fetch succeed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo