Error
A database connection string contains credentials.
Why this matters
Connection strings expose both the server location and the credentials to reach it. Anyone who gets the string can connect directly, read or destroy data, and often reach more than just the target database. If the string ends up in logs or version history, the exposure spreads further.
Detected patterns
klaudiush flags these URI schemes when they include a username and password:
- MongoDB:
mongodb://user:pass@host/db - MongoDB+SRV:
mongodb+srv://user:pass@host/db - PostgreSQL:
postgres://user:pass@host/db - MySQL:
mysql://user:pass@host/db - Redis:
redis://user:pass@host/db
How to fix
Read the full connection string from an environment variable:
connStr := os.Getenv("DATABASE_URL")Or build it from separate variables:
host := os.Getenv("DB_HOST") user := os.Getenv("DB_USER") pass := os.Getenv("DB_PASSWORD") connStr := fmt.Sprintf("postgres://%s:%s@%s/mydb", user, pass, host)Use IAM-based authentication where your provider supports it (AWS RDS, GCP Cloud SQL, Azure AD).
Configuration
Allow example connection strings:
[validators.secrets]
allow_list = [
"mongodb://localhost.*",
"postgres://.*@localhost.*",
"mysql://root:root@localhost.*",
]Best practices
Use connection pooling (PgBouncer, ProxySQL), rotate database credentials on a schedule, prefer read-only credentials when writes aren't needed, and enable TLS on every connection.
Related
Hook output
When this error is triggered, klaudiush writes JSON to stdout:
permissionDecisionReason (shown to Claude):
[SEC005] Potential secrets detected: database connection string with credentials found. Use environment variables for database connection strings.
systemMessage (shown to user): Formatted error with fix hint and reference URL.
additionalContext (behavioral guidance):
Automated klaudiush validation check. Fix the reported errors and retry the same command.