World-writable file mode or permissive umask in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
Config grants world write/all access to files (mode 0777/0666, umask 000, chmod 777, chmod o+w). Anyone on the host can then alter config or secrets. This is a best-practice heuristic; verify the specific path before acting.
Why it matters
Config that grants world write or all-access permissions to files (mode 0777/0666, umask 000, chmod 777) lets any local user or a compromised neighbor process modify config or secrets. On shared or multi-tenant hosts this is a straightforward privilege and integrity problem. This is a heuristic, so confirm which path the mode applies to before changing it.
How to fix it
Give config and secret files the least permission that works, typically 0600 for secrets and 0644 for non-sensitive config, owned by the service user. Replace umask 000 with a restrictive umask such as 022 or 077. Avoid chmod 777 in setup scripts and grant only the specific access a path needs.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo