Will It Vibe logoWill It Vibe?
ENVCFG-011Medium severity-8 points

TLS certificate verification disabled in config

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Config turns off certificate checking (ssl_verify false, insecure_skip_verify true, rejectUnauthorized false, sslmode=disable). That silently accepts any certificate and reopens the connection to man-in-the-middle interception.

Why it matters

Disabling certificate verification makes the client accept any certificate, which removes the protection TLS provides and reopens the connection to man-in-the-middle interception and credential theft. It is usually added to work around a local certificate error and then left in production config where it is dangerous.

How to fix it

Turn verification back on (remove insecure_skip_verify, set ssl_verify true, drop rejectUnauthorized:false, use sslmode=require or verify-full). Fix the underlying certificate problem instead: install the correct CA bundle or point the client at the right trust store. If a specific internal CA is needed, add that CA rather than disabling checks.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks