Add global --skip-tls-verify flag for self-signed certs#272
Open
jai-deepsource wants to merge 4 commits intomasterfrom
Open
Add global --skip-tls-verify flag for self-signed certs#272jai-deepsource wants to merge 4 commits intomasterfrom
jai-deepsource wants to merge 4 commits intomasterfrom
Conversation
Contributor
jai-deepsource
commented
Mar 2, 2026
jai-deepsource
commented
- Add --skip-tls-verify persistent flag on root command, available to all subcommands
- Resolution priority: CLI flag > DEEPSOURCE_SKIP_TLS_VERIFY env var > config file
- Add SkipTLSVerify field to CLIConfig, persisted as skip_tls_verify in TOML
- Wire all commands (issues, metrics, runs, reportcard, vulnerabilities, auth) to pass resolved value to API client
- Build custom http.Transport with InsecureSkipVerify when enabled
- Deprecate report's --skip-verify flag in favor of the global flag
- Pass SkipTLSVerify through auth service for device registration and PAT requests
- Add tests for TLS resolution logic, config env/file loading, client transport, and login behavior
- Remove .deepsource.toml
- Add --skip-tls-verify persistent flag on root command, available to all subcommands - Resolution priority: CLI flag > DEEPSOURCE_SKIP_TLS_VERIFY env var > config file - Add SkipTLSVerify field to CLIConfig, persisted as skip_tls_verify in TOML - Wire all commands (issues, metrics, runs, reportcard, vulnerabilities, auth) to pass resolved value to API client - Build custom http.Transport with InsecureSkipVerify when enabled - Deprecate report's --skip-verify flag in favor of the global flag - Pass SkipTLSVerify through auth service for device registration and PAT requests - Add tests for TLS resolution logic, config env/file loading, client transport, and login behavior - Remove .deepsource.toml
 |
|
Overall Grade Focus Area: Security |
Security Reliability Complexity Hygiene Coverage  |
Feedback
- Insecure TLS default
- InsecureSkipVerify was treated as a convenient default in client initialization, letting certificate validation be bypassed; make TLS validation secure-by-default and require an explicit, audited opt-in to disable it.
- Dev-only toggles leaked to production
- Local/test conveniences (skip verification) were left in committed configs, so runtime behavior differs by environment; separate environment configs and enforce a production-safe build/runtime guard to prevent accidental enablement.
- Tests depend on real services
- Low coverage and ad-hoc verification toggles imply tests hit live endpoints, driving developers to relax TLS; replace networked tests with mocks or local TLS test servers so security flags aren’t needed and coverage improves.
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Go |  |
Mar 7, 2026 11:28a.m. | Review ↗ |
| Secrets |  |
Mar 7, 2026 11:28a.m. | Review ↗ |
| Test coverage | |
Mar 7, 2026 11:28a.m. | Review ↗ |
Code Coverage Summary
| Language | Line Coverage (New Code) | Line Coverage (Overall) |
|---|---|---|
| Aggregate | 27.3% [⤫ below threshold] |
21.7% [▲ up 2.3% from master] |
| Go | 27.3% [⤫ below threshold] |
21.7% [▲ up 2.3% from master][✓ above threshold] |
➟ Additional coverage metrics may have been reported. See full coverage report ↗
![deepsource-io[bot]](https://avatars.githubusercontent.com/in/16372?s=60&v=4){kind=small}
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.