Unrestricted egress to the internet
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A security group egress rule allows all protocols to 0.0.0.0/0. Wide-open egress removes a control against data exfiltration and command-and-control traffic. This is a best-practice heuristic and unrestricted egress is common, so it is kept at low severity.
Why it matters
An egress rule allowing all protocols to 0.0.0.0/0 lets a compromised instance send data anywhere and reach any command-and-control endpoint. Restricting egress is a real containment control against exfiltration. This is flagged at low severity because wide-open egress is common and is not itself an inbound exposure, so treat it as a hardening opportunity rather than an urgent hole.
How to fix it
Replace the catch-all egress with rules scoped to the destinations the workload needs, such as your VPC endpoints, package mirrors, and specific external APIs. Use prefix lists or destination security groups where you can. For sensitive workloads, route egress through a proxy or firewall so it can be logged and filtered.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo