Ccodemod

codemod/secure-mysql-connection-credentials

Updates MySQL connection configurations to use environment variables instead of hardcoded passwords

securitymysqlcredentialsenvironment-variableshardcoded-passwords
Public
0 executions
Apply to Repository
Run locally
npx codemod @codemod/secure-mysql-connection-credentials
Documentation

@codemod/secure-mysql-connection-credentials

A security-focused codemod that automatically replaces hardcoded database credentials in MySQL connection configurations with environment variables, helping prevent credential exposure in source code.

Security Issue

CWE-798: Use of Hard-coded Credentials

Hardcoded database passwords in source code create significant security vulnerabilities:

  • Credentials are exposed in version control
  • Difficult to rotate passwords across environments
  • Risk of credential leakage in logs and error messages
  • Violates principle of least privilege and separation of concerns

This codemod addresses OWASP Top 10 2021 - A07: Identification and Authentication Failures.

Installation

bash

What This Codemod Does

This codemod automatically transforms hardcoded MySQL credentials to use environment variables:

1. Object Configuration Properties

Before:

javascript

After:

javascript

2. Sequelize Constructor Arguments

Before:

javascript

After:

javascript

3. MySQL Connection Strings

Before:

javascript

After:

javascript

4. MySQL createConnection Calls

Before:

javascript

After:

javascript

Environment Variables Required

After running this codemod, you'll need to set these environment variables:

bash

Example .env file:

bash

What This Codemod Won't Transform

  • Files already using process.env for database credentials
  • Test files (.test.js, .spec.js, __tests__/, etc.)
  • Example/documentation files
  • Password fields that use function calls or variables
  • Empty password strings
  • Connection configurations using external config libraries

Supported File Types

  • .js - JavaScript files
  • .ts - TypeScript files
  • .jsx - JavaScript with JSX
  • .tsx - TypeScript with JSX

Best Practices After Running

  1. Add validation for required environment variables:
javascript
  1. Use a .env file for development:
javascript
  1. Never commit your .env file:
gitignore
  1. Create a .env.example file:
bash

Security References

Development

bash

License

MIT

Before

This is one example from the codemod's test cases. The codemod may handle many more cases.

Ready to contribute?

Build your own codemod and share it with the community.