Go Use Of Hardcoded Password
Description
Detects hardcoded database credentials in Go applications when establishing SQL connections. This represents a security risk since credentials stored directly in source code could be exposed through version control systems or code access, potentially leading to unauthorized database access.
Detection Strategy
• Identifies imports of SQL-related packages ('database/sql' or 'github.com/go-sql-driver/mysql')
• Locates calls to sql.Open() function which is used to establish database connections
• Examines the connection string parameters passed to sql.Open() for hardcoded credentials
• Reports a vulnerability when database connection strings contain literal password values instead of using environment variables or secure configuration methods
Vulnerable code example
package main
import (
"database/sql"
_ "github.com/go-sql-driver/mysql"
)
func connectDB() (*sql.DB, error) {...✅ Secure code example
package main
import (
"database/sql"
"os"
"fmt"
_ "github.com/go-sql-driver/mysql"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.