Hardcoded or default admin credentials
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A password is hardcoded as a string literal: either an admin-password field with any value, or a password field set to a well-known default like admin/changeme/123456.
Why it matters
A password written as a string literal in code is a credential anyone with repo access can use, and default values like admin, changeme, or 123456 are the first things attackers try. Hardcoded admin credentials often survive into production because they are wired into setup or seed scripts. The value also stays in git history after you edit it out.
How to fix it
Remove the literal password and require the credential to be supplied at deploy time through an environment variable or secret manager, with no default. For a seeded admin account, generate a random password at first run and print or store it once, or force a password reset on first login. Rotate any credential that was committed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo