Verify SSH host keys instead of ignoring them | Critiq Docs

#Metadata

Rule ID: go.security.insecure-ssh-host-key
Severity: high
Confidence: 0.95
Languages: go
Presets: security, strict
Stability: experimental
Applies to: block
Tags: go, rules-catalog, security, ssh, transport

#Why it matters

Skipping host key verification lets any network attacker impersonate the remote host and steal credentials or hijack sessions.

#Remediation

Use `ssh.FixedHostKey`, `knownhosts.New`, or a callback that compares the remote host key to a trusted pin before completing the handshake.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.insecure-ssh-host-key.rule.yaml.

Back to directory Open rule in repository