Missing SSL certificate verification

Description

Applications processing sensitive data should use valid SSL certificates. This rule checks if SSL verification is enabled.

Remediations

❌ Do not disable SSL certificate validation in your HTTP client

✅ Ensure verification of both peers and hostnames is enabled in your HTTP client:

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true);

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_ssl_verification

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_ssl_verification