Scala Hardcoded Password In Connection
Description
Detects hardcoded passwords in database connection strings within Scala code. This is a security risk because embedding credentials directly in source code can lead to unauthorized database access if the code is exposed. These credentials should instead be stored securely in configuration files or environment variables.
Detection Strategy
• Check for presence of database-related imports including java.sql, apache commons dbcp2, or spring jdbc packages
• Examine string literals and values in database connection configurations and method calls
• Report a vulnerability if password or credential values are hardcoded directly in the connection setup code rather than being loaded from external configuration
• Focus on database connection objects and methods that accept connection parameters like username and password
Vulnerable code example
import java.sql.DriverManager
object DatabaseConnection {
def connect() = {
// Vulnerable: Hardcoded credentials in source code
DriverManager.getConnection(
"jdbc:mysql://localhost:3306/db",
"root",...✅ Secure code example
import java.sql.DriverManager
object DatabaseConnection {
def connect() = {
val dbPassword = System.getenv("DB_PASSWORD") // Safe: credentials from environment variable
DriverManager.getConnection(
"jdbc:mysql://localhost:3306/db",
"root",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.