Will It Vibe logoWill It Vibe?
SCA-024Medium severity-8 points

requirements.txt configures an insecure (HTTP) package index

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A requirements.txt --index-url/--extra-index-url/-i option points at a plain http:// registry, so package downloads have no transport integrity and are exposed to on-path tampering.

Why it matters

A requirements.txt --index-url/--extra-index-url pointing at a plain http:// address means every package download for that project happens with no transport integrity: an attacker anywhere on the network path (a compromised Wi-Fi network, a malicious proxy, a compromised router) can substitute a malicious package for the one you asked for, and pip has no way to detect the swap at the transport layer. This is exactly the kind of channel a supply-chain attacker would want to sit on.

How to fix it

Change the index URL to https://. If the index is an internal/private package server that only supports http today, prioritize adding TLS to it; in the meantime, treat that network segment as sensitive and restrict who can be on-path.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks