TLS verification disabled in a download
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A RUN downloads with certificate verification turned off (curl -k/--insecure or wget --no-check-certificate), so the transfer is open to man-in-the-middle tampering of whatever is fetched.
Why it matters
Turning off certificate verification (curl -k / --insecure, wget --no-check-certificate) means the download is no longer authenticated, so a man-in-the-middle can substitute whatever content they like and it lands in your image. It is often added to silence a cert error rather than fix it.
How to fix it
Remove the insecure flag and fix the real cause: install ca-certificates so the system trust store is present, or add the specific CA the endpoint needs. If the host truly uses a private CA, mount and trust that CA explicitly rather than disabling verification globally.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo