Usage of hard-coded PostgreSQL database password

• Rule ID: go_lang_hardcoded_pg_database_password
• Languages: go
• Source: hardcoded_pg_database_password.yml

Description

Your code contains a hard-coded password for connecting to a PostgreSQL database. Storing passwords directly in the code compromises security and makes your application vulnerable to unauthorized access.

Remediations

• Do not embed passwords directly in your database connection strings or code. This practice exposes your database to potential security breaches.
• Do use environment variables to store sensitive information such as database passwords. This method keeps credentials out of your codebase and makes them easier to manage securely.
• Do consider implementing a key-management system to securely handle passwords and other sensitive information. This approach provides enhanced security measures for managing and accessing credentials.

References

• OWASP hardcoded passwords

Associated CWE

• CWE-259: Use of Hard-coded Password

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_lang_hardcoded_pg_database_password

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_lang_hardcoded_pg_database_password