checker: go_mysql_config_raw_passwd

[Thiru-moorthi]

Description

This PR adds a Go checker to detect hardcoded MySQL passwords in mysql.Config structures. Hardcoding sensitive credentials increases the risk of unauthorized access if the source code is leaked or shared.

Detection Logic

The checker identifies:

• mysql.Config composite literals with the Passwd field directly assigned a string literal.

Why is this a problem?

• Credential Leakage: Hardcoded passwords in code repositories can be scanned and exploited by attackers.
• Compliance Violations: Storing plaintext credentials can violate security policies and standards.
• Increased Attack Surface: If exposed, attackers can gain full access to the database.

---

Insecure Example

import "github.com/go-sql-driver/mysql"

config := mysql.Config{
  User:   "user",
  Passwd: "hardcoded_password", // Hardcoded credential
  Net:    "tcp",
  Addr:   "localhost:3306",
  DBName: "exampledb",
}

Exclusions

test/**,*_test.rb,tests/**,__tests__/**

References

OWASP Secrets Management Cheat Sheet

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Feb 25, 2025 1:22pm

[sourya-deepsource]

@Thiru-moorthi Merging is blocked because commits must have verified signatures. Can you please take care of this?

(Closed the PR by mistake)