curl/wget basic-auth credentials on the command line
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
curl -u user:password (or wget's --user/--http-user/--ftp-user equivalents) with a literal value puts the credential in the script, in shell history, and in the argv any local user can read via `ps aux`. Read it from an environment variable, a netrc file with restricted permissions, or a secret manager instead.
Why it matters
curl -u user:password (or wget's --user/--http-user/--ftp-user with a literal value) puts the credential in the script file, in the shell's history file, and in the process's argv, which any local user can read via `ps aux` for as long as the request is running.
How to fix it
Read the credential from an environment variable (curl -u "$API_USER:$API_PASS"), a netrc file with chmod 600 permissions (curl --netrc), or a secret manager the deploy environment already has access to. Never write the literal username or password into the script.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo