Hardcoded credentials in connection string
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A database/service connection string embeds a username and password directly in code.
Why it matters
A connection string like postgres://user:password@host puts the database password in source control, where it spreads to every clone and CI log. Anyone who reads it can connect directly to your database from anywhere the host is reachable. The password stays in git history after you edit it out.
How to fix it
Read the full connection string from an environment variable (DATABASE_URL is the common convention) instead of writing it inline. Keep the real value in an untracked .env and in your host secret store, and put a placeholder like postgres://user:PASSWORD@host/db in .env.example. Rotate the exposed password afterward.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo