SEC015errorPro

fail-open-security

Security functions should fail closed, not degrade silently

Applies to: JavaScript, Python, TypeScript

Why this matters

When encryption, verification, or auth functions catch errors and return permissive defaults (e.g., returning plaintext when encryption fails, returning true when verification fails), the application silently degrades to an insecure state. Security functions must fail loudly — throw an error rather than continuing without protection.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC015 includedstablestack explain SEC015

SEC015 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC015