Elixir Mysql Hardcoded Credentials
Description
Detects hardcoded credentials in Elixir MySQL database connections using MyXQL.start_link(). Hardcoded database credentials pose a significant security risk as they expose sensitive authentication information directly in source code, making it accessible to anyone with code access and difficult to rotate securely.
Detection Strategy
• Scans Elixir source code for MyXQL.start_link() function calls that establish MySQL database connections
• Analyzes the connection parameters passed to MyXQL.start_link() to identify hardcoded credentials such as passwords, usernames, or connection strings
• Reports a vulnerability when database authentication credentials are found directly embedded as string literals in the function call rather than being retrieved from environment variables or secure configuration
Vulnerable code example
defmodule MyApp.DB.Connection do
def connect_manual() do
user = "admin"
pass = "password123" # VULNERABLE: hardcoded password in source code
MyXQL.start_link(
hostname: "localhost",
username: user,...✅ Secure code example
defmodule MyApp.DB.Connection do
def connect_manual() do
user = System.get_env("DB_USER") # SAFE: credentials from environment
pass = System.get_env("DB_PASS")
MyXQL.start_link(
hostname: "localhost",
username: user,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.