Elixir Postgresql Hardcoded Credentials
Description
Detects hardcoded database credentials in Elixir applications using the Postgrex library for PostgreSQL connections. This vulnerability exposes sensitive database authentication information directly in source code, making it accessible to anyone with code access and creating security risks if the code is compromised or accidentally exposed.
Detection Strategy
• Scans Elixir source code for calls to the Postgrex.start_link function
• Analyzes the function call parameters to identify hardcoded credentials (usernames, passwords, connection strings)
• Reports a vulnerability when Postgrex.start_link contains embedded authentication credentials instead of using environment variables, configuration files, or secure credential management systems
Vulnerable code example
defmodule MyApp.DB.Connection do
def connect_manual() do
user = "admin"
pass = "password123" # VULNERABLE: hardcoded password stored in variable
host = "localhost"
Postgrex.start_link(
hostname: host,...✅ Secure code example
defmodule MyApp.DB.Connection do
def connect_manual() do
user = System.get_env("DB_USER") # SAFE: credential from environment
pass = System.get_env("DB_PASS") # SAFE: password from environment
host = System.get_env("DB_HOST", "localhost")
Postgrex.start_link(
hostname: host,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.