Source Code Database Credentials

Detects database connection credentials embedded in source code across Java (JDBC), PHP, Perl, Ruby, and Python. Matches database driver connect() calls containing credentials inline. Mirrors Snaffler rules KeepJavaDbConnStrings, KeepPhpDbConnStrings, KeepPerlDbConnStrings, KeepRubyDbConnStrings, KeepPyDbConnStrings.

Type

regex

Engine

boost_regex

Confidence

medium

Confidence justification

Medium confidence: database connect-string patterns are specific but bare connect calls without evidence of inline credentials generate false positives in config scaffolding and unit test mocks. Tiered gating with evidence requirements at 75/85 significantly improves precision.

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS

Data categories

credentials, security

Scope

specific

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

\.getConnection\("jdbc:[A-Za-z0-9:+.\-]{2,30}

Corroborative evidence keywords

password, passwd, pwd, user, host, dbname, database

Proximity: 300 characters

Should match

• Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/mydb", "admin", "Secr3t!"); — Java JDBC MySQL connection string with inline credentials
• conn = DriverManager.getConnection("jdbc:postgresql://db.corp.com/prod?user=svc&password=Hunter2") — Java JDBC PostgreSQL URL with embedded user and password
• ds.getConnection("jdbc:sqlserver://sqlhost:1433;databaseName=HR;user=sa;password=P@ssw0rd") — Java JDBC SQL Server with inline credentials
• mysql_connect("db.example.com", "root", $password) — PHP mysql_connect with password variable
• pg_connect("host=dbhost user=admin dbname=prod", $password) — PHP pg_connect with password variable argument
• my $dbh = DBI->connect('dbi:mysql:mydb', 'user', 'P@ss123'); — Perl DBI connect with inline password
• db = DBI.connect('dbi:Pg:dbname=prod', 'svcuser', 'TopSecr3t') — Ruby DBI connect with inline password
• conn = mysql.connector.connect(host='db.corp.com', user='app', password='Passw0rd!') — Python mysql.connector with inline credentials
• conn = psycopg2.connect(host='pghost', dbname='app', user='dba', password='dbSecret') — Python psycopg2 connect with inline password

Should not match

• Connection conn = DriverManager.getConnection(config.getDatabaseUrl(), config.getUser(), config.getPassword()); — JDBC call using config object variables only, no inline jdbc URL literal
• mysql_connect() — Parameterless PHP connect call with no credential arguments
• # see the config module for database credentials and connection settings — Prose comment referencing database credentials without any connect() call

Known false positives

• Unit tests and configuration scaffolding that call connect() with placeholder values (localhost, testdb, example.com). Mitigation: Check for placeholder hostnames and example passwords; require evidence at 75+ tier.
• ORM configuration files that reference connect() method names in comments or docstrings. Mitigation: Require proximity to actual credential terms (password, pwd) rather than firing on connect call alone.

Collections

• Snaffler Parity — Credential & Secret Files