← all rules

code/js-weak-hash-password

Weak hashing: MD5/SHA1 used in auth/password context

mediumCode regexweak-cryptoCWE-327js

What it detects

MD5 and SHA1 are unsuitable for password hashing or tokens. Use bcrypt/argon2/scrypt for passwords, HMAC-SHA256 for tokens.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.