Will It Vibe logoWill It Vibe?
SQL-008Medium severity-8 points

INSERT writes a plaintext-looking value into a password-like column

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A seed/migration INSERT supplies a quoted literal for a password/passwd/pwd/secret column that does not look like a hash or bind parameter. This is a heuristic based on the value's shape (not a hash prefix/length), so a custom encoding could still be a false positive; treat it as a prompt to verify.

Why it matters

A seed or migration INSERT that writes a quoted literal into a password-like column, where that literal is not shaped like a hash or a bind parameter, is a strong sign a real or default credential is sitting in plaintext in version control. Seed data is especially easy to forget about because it looks like throwaway test fixtures, but the same file often gets applied to staging or even production environments.

How to fix it

Hash the value before inserting it (bcrypt/scrypt/Argon2), or if this is genuinely local-only fixture data, use an obviously fake, clearly-labeled placeholder value and confirm the seed script is never run against a real environment. Either way, rotate any credential that was already committed as a real value.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks