Network ACL allows all traffic from any address
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A network ACL rule allows traffic from 0.0.0.0/0 (or ::/0), removing the subnet-level defense-in-depth layer that should sit behind security groups.
Why it matters
A network ACL rule that allows traffic from 0.0.0.0/0 removes the subnet-level filtering that is meant to back up security groups as a second layer of defense. When a security group is later misconfigured, that subnet layer is what would have contained the mistake, and an allow-all NACL gives it up.
How to fix it
Scope allow rules to the specific CIDRs and ports the subnet needs, and rely on security groups for fine-grained control. Keep NACLs as a coarse guardrail that blocks obviously unwanted ranges. Review whether the allow-all rule was a shortcut that can be tightened to the real traffic pattern.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo