umask 000 (permissive default permissions)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
umask 000 removes every default permission restriction, so every file and directory the rest of the script (and anything it spawns) creates from that point on is world-writable by default. A single narrow chmod on one path is far safer than resetting the process-wide default.
Why it matters
umask 000 removes every default permission restriction for the rest of the script (and anything it spawns): every file and directory created afterward is world-writable unless something later chmods it back down, one setting quietly weakening every subsequent file creation instead of one specific path.
How to fix it
Remove the umask 000 call. If a specific file or directory genuinely needs to be writable by another user or group, set that with a targeted chmod/chgrp on that one path instead of loosening the process-wide default. A safe umask for most scripts is 022 (or 027 where group access should also be restricted).
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo