xp_cmdshell enabled via sp_configure
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
SQL Server's xp_cmdshell runs arbitrary operating-system commands with the privileges of the SQL Server service account. Enabling it turns any later SQL injection (or any user able to run ad-hoc queries) into remote code execution on the database host.
Why it matters
xp_cmdshell runs operating-system commands with the same privileges as the SQL Server service account. Once it is enabled, any later SQL injection vulnerability, or any user who can run ad-hoc queries, has a direct path to running arbitrary commands on the database host, not just reading or writing data. Enabling it is a common leftover from an old troubleshooting script that was never reverted.
How to fix it
Remove the sp_configure calls that enable xp_cmdshell (and, if present, the show advanced options toggle that was only there to allow it) so the feature returns to its disabled-by-default state. If a specific task genuinely needs OS-level access, do it outside the database (an application job, a scheduled task, a dedicated automation service) rather than through the SQL Server process.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo