CodeQL documentation

Dependency download using unencrypted communication channel

ID: rb/insecure-dependency
Kind: problem
Severity: warning
Precision: high
   - security
   - external/cwe/cwe-300
   - external/cwe/cwe-319
   - external/cwe/cwe-494
   - external/cwe/cwe-829
Query suites:
   - ruby-code-scanning.qls
   - ruby-security-extended.qls
   - ruby-security-and-quality.qls

Click to see the query in the CodeQL repository

Using an insecure protocol like HTTP or FTP to download dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.

This can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.


Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from a URL.


The below example shows a Gemfile that specifies a gem source using the insecure HTTP protocol.

source ""

gem "my-gem-a", "1.2.3"

The fix is to change the protocol to HTTPS.

source ""

gem "my-gem-a", "1.2.3"


  • © GitHub, Inc.
  • Terms
  • Privacy