TLS certificate verification disabled in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Config turns off certificate checking (ssl_verify false, insecure_skip_verify true, rejectUnauthorized false, sslmode=disable). That silently accepts any certificate and reopens the connection to man-in-the-middle interception.
Why it matters
Disabling certificate verification makes the client accept any certificate, which removes the protection TLS provides and reopens the connection to man-in-the-middle interception and credential theft. It is usually added to work around a local certificate error and then left in production config where it is dangerous.
How to fix it
Turn verification back on (remove insecure_skip_verify, set ssl_verify true, drop rejectUnauthorized:false, use sslmode=require or verify-full). Fix the underlying certificate problem instead: install the correct CA bundle or point the client at the right trust store. If a specific internal CA is needed, add that CA rather than disabling checks.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo