Will It Vibe logoWill It Vibe?
ENVCFG-015Low severity-4 points

World-writable file mode or permissive umask in config

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

Config grants world write/all access to files (mode 0777/0666, umask 000, chmod 777, chmod o+w). Anyone on the host can then alter config or secrets. This is a best-practice heuristic; verify the specific path before acting.

Why it matters

Config that grants world write or all-access permissions to files (mode 0777/0666, umask 000, chmod 777) lets any local user or a compromised neighbor process modify config or secrets. On shared or multi-tenant hosts this is a straightforward privilege and integrity problem. This is a heuristic, so confirm which path the mode applies to before changing it.

How to fix it

Give config and secret files the least permission that works, typically 0600 for secrets and 0644 for non-sensitive config, owned by the service user. Replace umask 000 with a restrictive umask such as 022 or 077. Avoid chmod 777 in setup scripts and grant only the specific access a path needs.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks