Will It Vibe logoWill It Vibe?
SQL-007Low severity-4 points

Password/secret column declared as plain text

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A column named like password/passwd/pwd/secret is declared as VARCHAR/CHAR/TEXT with no hash-oriented qualifier in its name (e.g. password_hash). This is a naming heuristic only: it cannot see whether the application hashes the value before writing it, so confirm before treating this as confirmed plaintext storage.

Why it matters

A column named password/passwd/pwd/secret with no hash-oriented qualifier (password_hash, password_digest) is an indication, not proof, that the application stores the raw value instead of a salted hash. If it turns out to be true, a single database read (a backup, a misconfigured replica, an injection bug) discloses every user's real password in one query. This is a naming heuristic: the schema alone cannot show whether the application hashes the value before writing it.

How to fix it

Confirm how the application writes to this column. If it writes raw values, switch to hashing with bcrypt, scrypt, or Argon2 before the value ever reaches the database, and rename the column to reflect what it stores (password_hash). If it already writes a hash, rename the column so the schema itself documents that, which is often enough to stop this heuristic from firing again on a re-scan.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks