← all rules
code/js-tls-verify-disabled
TLS certificate verification disabled
What it detects
rejectUnauthorized: false disables TLS certificate validation, breaking the trust chain and exposing the connection to MitM attacks. Common when AI assistants suggest 'fixes' for self-signed cert errors — the right fix is to add the CA to the trust store, not to disable validation.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.