Will It Vibe logoWill It Vibe?
DOCKER-028High severity-15 points

TLS verification disabled in a download

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A RUN downloads with certificate verification turned off (curl -k/--insecure or wget --no-check-certificate), so the transfer is open to man-in-the-middle tampering of whatever is fetched.

Why it matters

Turning off certificate verification (curl -k / --insecure, wget --no-check-certificate) means the download is no longer authenticated, so a man-in-the-middle can substitute whatever content they like and it lands in your image. It is often added to silence a cert error rather than fix it.

How to fix it

Remove the insecure flag and fix the real cause: install ca-certificates so the system trust store is present, or add the specific CA the endpoint needs. If the host truly uses a private CA, mount and trust that CA explicitly rather than disabling verification globally.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks