MongoDB connection string with credentials
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A mongodb:// or mongodb+srv:// URI embeds a username and password. It grants direct access to the database and often to a hosted cluster.
Why it matters
A mongodb:// or mongodb+srv:// URI with credentials often points at a hosted cluster, so a leak grants direct database access from the internet. Anyone who reads the repo can query or drop your collections. The URI stays in git history after removal.
How to fix it
Read the URI from an environment variable and fail fast if unset. Keep the real value untracked and in your secret store, and restrict cluster network access to known IPs. Rotate the database user password afterward.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo