OTEL-032: `insecure_skip_verify` enabled

Severity: warn (advisory)

Rule Details

insecure_skip_verify: true tells the Collector to accept any certificate from the peer — expired, self-signed, for the wrong hostname, or issued by a CA you do not trust. That silently converts "mTLS to our backend" into "encrypted connection to anyone who can intercept the traffic." Use a proper CA bundle or pin a specific cert instead.

This rule fires on any exporter or receiver protocol that sets tls.insecure_skip_verify: true.

Options

This rule has no options.

Examples

Avoid

exporters:
  otlp/backend:
    endpoint: backend.example.com:4317
    tls:
      insecure_skip_verify: true    # skips verification entirely

Prefer

exporters:
  otlp/backend:
    endpoint: backend.example.com:4317
    tls:
      ca_file: /etc/ssl/certs/backend-ca.pem

When Not To Use It

One-off local development or a smoke test inside a throwaway environment. Never in production.

OTEL-031 — TLS min_version below 1.2
OTEL-033 — receiver on non-localhost endpoint without TLS
OTEL-018 — OTLP exporter without TLS on non-local endpoint

Version

Available since augur v0.1.0.

Resources

Rule source: policy/main/security.rego

Rule Details​

Options​

Examples​

When Not To Use It​

Related Rules​

Version​

Further Reading​

Resources​

Rule Details

Options

Examples

When Not To Use It

Related Rules

Version

Further Reading

Resources