logo

Database

Python Hardcoded Password In Connection

Description

Detects hardcoded passwords in database connection configurations in Python code. This is a critical security risk as embedding credentials directly in source code could lead to unauthorized database access if the code is exposed, especially in version control systems or if the application is compromised.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

    Check if any of the following database libraries are imported in the code: psycopg, mysql.connector, pymssql, pymongo, redis, or sqlalchemy

    Look for database connection function calls like connect(), Connection(), or create_engine()

    Examine the function arguments for hardcoded password strings

    Report a vulnerability if a connection function contains password credentials as string literals instead of environment variables or configuration files

Vulnerable code example

import psycopg2

def connect_to_db():
    # VULNERABLE: Hardcoded database password as string literal
    conn = psycopg2.connect(
        host="localhost",
        dbname="mydb", 
        user="admin",...

✅ Secure code example

import os
import psycopg2

def connect_to_db():
    # SAFE: Password retrieved from environment variable instead of hardcoding
    conn = psycopg2.connect(
        host="localhost",
        dbname="mydb", ...