All ports open to the whole internet
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A security group ingress rule uses protocol "-1" or the full 0-65535 range with a 0.0.0.0/0 source, exposing every port on the instances to the internet.
Why it matters
An ingress rule using protocol "-1" or the full 0-65535 range with a 0.0.0.0/0 source opens every port on the instances to the entire internet. That exposes every service listening on the host, intended or not, including anything a future deploy happens to start. It removes network isolation almost entirely.
How to fix it
Delete the catch-all rule and add narrow rules for only the ports the workload actually serves, each scoped to the smallest source CIDR or a peer security group. Let inbound traffic arrive through a load balancer where possible so instances need very few open ports. Never leave an all-ports, all-sources rule in place.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo