Database Credential Detection

Database credentials — connection strings, passwords, and certificates — are the second most commonly leaked secret type after cloud keys. A single exposed database password can lead to complete data exfiltration, ransomware, and compliance violations.

Verified by Precogs Threat Research
databasecredentialsconnection-stringssecretsUpdated: 2026-03-22

Database Credential Patterns

Database credentials appear in many formats: PostgreSQL connection URIs (postgresql://user:password@host/db), MySQL connection strings, MongoDB URIs with embedded auth, Redis AUTH passwords, and certificate files for TLS-encrypted connections. Each format requires specific detection patterns that go beyond simple regex.

Common Exposure Vectors

Database credentials leak through: hardcoded connection strings in application config files, .env files committed to repositories, Docker Compose files with DB_PASSWORD set, ORM configuration files (sequelize, prisma, typeorm), database migration scripts, and backend API code with inline connection logic.

Precogs AI Database Credential Detection

Precogs AI detects connection strings for PostgreSQL, MySQL, MongoDB, Redis, Elasticsearch, Cassandra, and 20+ other databases. We identify credentials in source code, config files, Docker Compose, Kubernetes secrets (base64), Terraform variables, and compiled binaries where credentials were embedded at build time.

Attack Scenario: The Unsecured Docker Compose Leak

1

An organization utilizes `docker-compose.yml` files strictly for local development.

2

To speed up local onboarding, a developer includes the actual staging database connection password directly in the `docker-compose.yml` environment block.

3

The file is committed to the central GitHub repository.

4

Because the staging database shares credentials with the production database (a common anti-pattern), the password is universally valid.

5

An attacker scanning public repositories or utilizing a compromised contractor's GitHub token extracts the `docker-compose.yml` file.

6

The attacker leverages the credentials to connect directly to the database via its publicly routable IP address and dumps the customer table.

Real-World Code Examples

Hardcoded Connection Strings (CWE-256)

Database connection strings frequently aggregate the host, port, username, password, and database name into a single, highly readable URI. If this URI is discovered in source code by an attacker (or an automated malware scraper on a compromised developer workstation), it provides instantaneous, direct access to the crown jewels of the infrastructure.

VULNERABLE PATTERN
// VULNERABLE: Direct URI embedding in backend logic
import { createConnection } from "typeorm";

// Often found pushed to repositories during rapid prototyping
export const dbConnection = createConnection({
    type: "postgres",
    url: "postgresql://admin_user:Sup3rS3cr3tDBP@ssw0rd!@prod-db.us-east-1.rds.amazonaws.com:5432/main_db",
    synchronize: false,
    logging: true,
});
SECURE FIX
// SAFE: Total abstraction relying exclusively on environment configurations
import { createConnection } from "typeorm";

// The URI is supplied purely by the execution environment (Docker/K8s/Systemd)
if (!process.env.DATABASE_URL) {
    throw new Error("DATABASE_URL must be defined");
}

export const dbConnection = createConnection({
    type: "postgres",
    url: process.env.DATABASE_URL,
    ssl: { rejectUnauthorized: true }, 
    synchronize: false,
});

Detection & Prevention Checklist

  • Configure SAST tools to specifically alert on URI schema patterns like `mongodb://`, `postgresql://`, `mysql://`, and `redis://` found statically in source code
  • Never allow production database nodes to possess publicly routable IP addresses; enforce strict VPC peering or PrivateLink restrictions
  • Implement ephemeral Database credential generation (e.g., HashiCorp Vault dynamic secrets) where the application requests a password valid for only 30 minutes
  • Scan Infrastructure-as-Code (Terraform, Pulumi) for hardcoded database root passwords bypassing KMS encryption
  • Regularly audit all container orchestration configs (`Deployment.yaml`, `.env`, `docker-compose.yml`) for `PASSWORD_` or `_SECRET` environment variables containing raw strings instead of SecretMap references
🛡️

How Precogs AI Protects You

Precogs AI detects database credentials for PostgreSQL, MySQL, MongoDB, Redis, and 20+ other databases across source code, configs, Docker, Kubernetes, and compiled binaries — preventing credential exposure.

Start Free Scan

Related Weakness Types

CWE-798CWE-256CWE-312CWE-522CWE-200CWE-89CWE-538CWE-287CWE-22CWE-209

High Risk Industries

Financial Services SecurityHealthcare & Medical Device SecurityRetail & eCommerce Security

Compliance Frameworks

PCI DSS 4.0SOX / GLBADORA (Digital Operational Resilience Act)FDA Premarket CybersecurityHIPAA Security RuleSOC 2 / ISO 27001

How do you detect database credentials in code?

Precogs AI detects connection strings for 20+ database types across source code, config files, Docker Compose, K8s secrets, Terraform, and compiled binaries using format-specific pattern matching and entropy analysis.

Scan for Database Credential Detection Issues

Precogs AI automatically detects database credential detection vulnerabilities and generates AutoFix PRs.

Start Free Scan