Will It Vibe logoWill It Vibe?
TF-015High severity-15 points

All ports open to the whole internet

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A security group ingress rule uses protocol "-1" or the full 0-65535 range with a 0.0.0.0/0 source, exposing every port on the instances to the internet.

Why it matters

An ingress rule using protocol "-1" or the full 0-65535 range with a 0.0.0.0/0 source opens every port on the instances to the entire internet. That exposes every service listening on the host, intended or not, including anything a future deploy happens to start. It removes network isolation almost entirely.

How to fix it

Delete the catch-all rule and add narrow rules for only the ports the workload actually serves, each scoped to the smallest source CIDR or a peer security group. Let inbound traffic arrive through a load balancer where possible so instances need very few open ports. Never leave an all-ports, all-sources rule in place.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks