Will It Vibe logoWill It Vibe?
SQL-006High severity-15 points

Default superuser account created with a plaintext password

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A well-known default administrative account (root/sa/postgres/admin) is created or altered with a literal password value. Attackers try these exact username/role combinations first, so a committed plaintext credential here is a direct path to full database compromise.

Why it matters

root, sa, postgres, and admin are the first usernames any automated credential-stuffing attempt or default-password scanner tries against an exposed database port. Creating or resetting one of these accounts with a literal password compounds two risks at once: the account is the highest-value target in the database, and its password is sitting in plaintext in your repository history.

How to fix it

Avoid using default superuser names for application or service accounts entirely; create a distinctly named role with only the privileges it needs. Where the superuser account itself must be provisioned (initial cluster setup), set its password from a secret manager or generated value at provisioning time, never as a literal in a committed file.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks