Ccodemod

codemod/secure-mysql-connection-credentials

Updates MySQL connection configurations to use environment variables instead of hardcoded passwords

securitymysqlcredentialsenvironment-variableshardcoded-passwords
Public
0 downloads
0 stars
How to Use
Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

@codemod/secure-mysql-connection-credentials

A security-focused codemod that automatically replaces hardcoded database credentials in MySQL connection configurations with environment variables, helping prevent credential exposure in source code.

Security Issue

CWE-798: Use of Hard-coded Credentials

Hardcoded database passwords in source code create significant security vulnerabilities:

  • Credentials are exposed in version control
  • Difficult to rotate passwords across environments
  • Risk of credential leakage in logs and error messages
  • Violates principle of least privilege and separation of concerns

This codemod addresses OWASP Top 10 2021 - A07: Identification and Authentication Failures.

Installation

bash

What This Codemod Does

This codemod automatically transforms hardcoded MySQL credentials to use environment variables:

1. Object Configuration Properties

Before:

javascript

After:

javascript

2. Sequelize Constructor Arguments

Before:

javascript

After:

javascript

3. MySQL Connection Strings

Before:

javascript

After:

javascript

4. MySQL createConnection Calls

Before:

javascript

After:

javascript

Environment Variables Required

After running this codemod, you'll need to set these environment variables:

bash

Example .env file:

bash

What This Codemod Won't Transform

  • Files already using process.env for database credentials
  • Test files (.test.js, .spec.js, __tests__/, etc.)
  • Example/documentation files
  • Password fields that use function calls or variables
  • Empty password strings
  • Connection configurations using external config libraries

Supported File Types

  • .js - JavaScript files
  • .ts - TypeScript files
  • .jsx - JavaScript with JSX
  • .tsx - TypeScript with JSX

Best Practices After Running

  1. Add validation for required environment variables:
javascript
  1. Use a .env file for development:
javascript
  1. Never commit your .env file:
gitignore
  1. Create a .env.example file:
bash

Security References

Development

bash

License

MIT

Ready to contribute?

Build your own codemod and share it with the community.