Sensitive PII/payment column declared as plain text
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A column named like ssn/credit_card_number/cvv/passport_number is declared as VARCHAR/CHAR/TEXT with no encryption/tokenization qualifier in its name. This is a naming heuristic only: some stacks encrypt at the application or storage-engine layer, so confirm before treating this as confirmed plaintext storage.
Why it matters
A column named like ssn, credit_card_number, or cvv with no encryption/tokenization qualifier in its name is an indication, not proof, that this data is stored unprotected. If it is, a single database read exposes regulated data (PCI DSS for card data, various state/national law for SSNs) all at once, and that exposure typically carries breach-notification and compliance consequences beyond the immediate security cost. This is a naming heuristic: the schema alone cannot show whether the application encrypts the value before writing it, or whether a storage-engine feature encrypts it transparently.
How to fix it
Confirm how the application writes to this column. If it writes the raw value, encrypt it before it reaches the database (application-level encryption, or a database feature such as pgcrypto/transparent data encryption), and prefer not storing raw payment card data at all when a tokenization provider can do it for you. If it already encrypts or tokenizes the value, rename the column to document that.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo