requirements.txt configures an insecure (HTTP) package index
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A requirements.txt --index-url/--extra-index-url/-i option points at a plain http:// registry, so package downloads have no transport integrity and are exposed to on-path tampering.
Why it matters
A requirements.txt --index-url/--extra-index-url pointing at a plain http:// address means every package download for that project happens with no transport integrity: an attacker anywhere on the network path (a compromised Wi-Fi network, a malicious proxy, a compromised router) can substitute a malicious package for the one you asked for, and pip has no way to detect the swap at the transport layer. This is exactly the kind of channel a supply-chain attacker would want to sit on.
How to fix it
Change the index URL to https://. If the index is an internal/private package server that only supports http today, prioritize adding TLS to it; in the meantime, treat that network segment as sensitive and restrict who can be on-path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo