openssh: does `ssh-keyscan` verify the legitimacy of the hosts it scans?

There are tutorials on the web, like this one: https://blog.oddbit.com/post/2019-02-24-docker-build-learns-about-secr/

Show you a sample code to run ssh-keyscan in an automated way so that subsequent automation steps that depend on SSH can be completed successfully. E.g. Excerpt from that tutorial:

# syntax=docker/dockerfile:1.0.0-experimental

FROM alpine
RUN apk add --update git openssh

# This is necessary to prevent the "git clone" operation from failing
# with an "unknown host key" error.
RUN mkdir -m 700 /root/.ssh; 
  touch -m 600 /root/.ssh/known_hosts; 
  ssh-keyscan github.com > /root/.ssh/known_hosts

# This command will have access to the forwarded agent (if one is
# available)
RUN --mount=type=ssh git clone git@github.com:moby/buildkit

Is that a good idea? Is there a way for ssh-keyscan to automatically verify the legitimacy of the scanning host? If not, does it not become a security theater and defeat the SSH point? known_hosts check?

ssh keys – ssh-keyscan does not read .ssh / config?

I'm using ssh-keyscan in a shell script to accept keys for hosts. Hosts are identified by hostname but not in / etc / hosts. They're in ./ssh/config So I can ssh but I can not whistle etc.

It seems that ssh-keyscan is not using the .ssh / config File and that seems funny.

Can anyone confirm that this happens to them?

Real question: Does anyone have a way to make ssh-keyscan use ~ / .ssh / config?