Weak DSA key size (< 2048 bits)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A DSA key is generated with fewer than 2048 bits. DSA at 1024 bits is deprecated; prefer 2048-bit DSA or move to an EdDSA/ECDSA scheme.
Why it matters
DSA at 1024 bits is deprecated and offers inadequate strength, and DSA in general is fragile because a single reused or biased nonce during signing leaks the private key. A weak DSA key threatens every signature made with it. Modern systems have better options.
How to fix it
If you must keep DSA, use at least 2048 bits, but prefer moving to Ed25519 or ECDSA (P-256), which are faster and have safer, deterministic nonce options. Regenerate any DSA key under 2048 bits and rotate it. Ensure the signing library uses deterministic (RFC 6979) or high-quality random nonces.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo