Will It Vibe logoWill It Vibe?
SHELL-007Medium severity-8 points

curl/wget basic-auth credentials on the command line

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

curl -u user:password (or wget's --user/--http-user/--ftp-user equivalents) with a literal value puts the credential in the script, in shell history, and in the argv any local user can read via `ps aux`. Read it from an environment variable, a netrc file with restricted permissions, or a secret manager instead.

Why it matters

curl -u user:password (or wget's --user/--http-user/--ftp-user with a literal value) puts the credential in the script file, in the shell's history file, and in the process's argv, which any local user can read via `ps aux` for as long as the request is running.

How to fix it

Read the credential from an environment variable (curl -u "$API_USER:$API_PASS"), a netrc file with chmod 600 permissions (curl --netrc), or a secret manager the deploy environment already has access to. Never write the literal username or password into the script.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks