logo

Database

Yaml Ansible Not Validated Certificates

Description

This detector identifies when Ansible tasks disable SSL/TLS certificate validation by setting validate_certs to false. This creates a security vulnerability by allowing connections to servers with invalid, expired, or self-signed certificates, making the application susceptible to man-in-the-middle attacks and data interception.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

    Scans YAML files for Ansible task configurations

    Identifies tasks that contain the 'validate_certs' parameter set to false or equivalent falsy values

    Reports vulnerabilities when certificate validation is explicitly disabled in Ansible modules that support SSL/TLS connections (such as uri, get_url, win_uri, etc.)

    Triggers on any Ansible task where validate_certs is configured to bypass certificate verification

Vulnerable code example

- name: Vulnerable HTTPS request
  ansible.builtin.uri:
    url: https://api.example.com
    validate_certs: false # Vulnerable: TLS certificate validation disabled

- name: Vulnerable file download
  get_url:
    url: https://downloads.example.com/file.tar.gz...

✅ Secure code example

- name: Secure HTTPS request
  ansible.builtin.uri:
    url: https://api.example.com
    validate_certs: true # Safe: TLS certificate validation enabled

- name: Secure file download
  get_url:
    url: https://downloads.example.com/file.tar.gz...