Default or weak password in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A password key is set to a well-known default or trivially guessable value (admin, changeme, postgres, 123456, ...). Defaults left in config are the first thing credential-stuffing and scanners try.
Why it matters
A default or trivially guessable password left in config is the first thing automated attacks try. Values like admin, changeme, or postgres are in every credential-stuffing list, so an exposed service protected by one is effectively open. Defaults tend to survive from a quickstart into production unnoticed.
How to fix it
Replace the default with a strong, unique value read from an environment variable or secret manager, and remove the literal from config. If the default was ever deployed, change the actual account password, not just the config. Enforce a minimum password policy where the service allows it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo