Plaintext database credentials in app config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A database connection string with an inline user:password@host, or a database password key set to a literal value, exposes the datastore password to everyone with repo access.
Why it matters
A database password embedded in a connection string or a config key is readable by everyone with repo access, and it stays in git history after you edit it out. Anyone who reads it can connect straight to the database from any network location the host allows. Datastore credentials are a direct path to the data an app is supposed to protect.
How to fix it
Read the full connection string or password from an environment variable (DATABASE_URL is the common convention) and fail fast if it is unset. Keep the real value in an untracked .env and in your host secret store, with a placeholder in .env.example. Rotate the exposed password and, where possible, restrict the database to connect only from your app network.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo