Database Password

ID

db_assignment

Severity

critical

Vendor

-

Family

Data Storage Secret

Description

Database systems (relational or not) are critical elements in IT infrastructure. Any leak of a database account’s password can cause a tremendous damage.

Security

Any hardcoded Database credential, and passwords in particular, is a potential secret reported by this detector.

Accidentally checking-in a password to source control repositories could compromise your database resource. Depending on the permissions granted to the database account, a bad actor may extract sensitive information or personal data, or even modify the data with malicious intent.

Examples

db.port=50003
db.user=root
db.password=p@assworD
CONNECTION_URI="mssql://root:assworD@my.db.host:5434/account"

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require resetting the password in the target database, perhaps disabling the affected account and creating a new one.

  2. Remove the reported credential from the source code or committed configuration file.

  3. You may need to review the database access logs during the exposure window, searching for unusual database operations.

  4. Preventing good people doing bad things is always a wise advice. Database accounts should follow the principle of minimum privilege. If the database account is used by application software, ensure that the privileges granted are strictly those necessary for the application.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.