Will It Vibe logoWill It Vibe?
SHELL-006Medium severity-8 points

MySQL/MariaDB client password on the command line

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

mysql/mysqldump's -p flag takes the password glued directly to it with no space (-pSecret123). Written this way the literal password lives in the script, and while the process runs it is also visible to every local user via `ps aux` or /proc. Use a defaults file (--defaults-extra-file), the MYSQL_PWD environment variable, or an interactive/silent prompt instead.

Why it matters

mysql/mysqldump's -p flag takes the password glued directly to it (-pSecret123, no space). Written that way, the literal password lives in the script file itself, and for as long as the process runs, the full command line, password included, is visible to every other local user via `ps aux` or /proc/<pid>/cmdline.

How to fix it

Move the credential out of the command line entirely: use a --defaults-extra-file pointing at a chmod 600 file with [client]\nuser=...\npassword=..., or export MYSQL_PWD in the environment for just that command. For interactive use, pass a bare -p with nothing after it and let the client prompt securely instead of hardcoding anything.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks