The Database Security Scanner is a specialized tool for auditing the security posture of relational databases. It supports PostgreSQL and MySQL, performing both configuration analysis and password strength testing.
- Configuration Scanning: Checks database settings against security best practices (e.g., logging, connection limits, encryption).
- Password Auditing: Identifies weak or default credentials and checks for insecure password hashing algorithms.
- Compliance Reports: Generates detailed compliance reports.
- WebSocket Streaming: Streams real-time scan progress and results to the client.
- Core: Python (FastAPI)
- Server: Uvicorn
- Protocols: REST API & WebSockets
The service is configured via environment variables (see .env):
PORT: The port the service listens on (Default: 8002).CREDENTIALS_JSON_PATH: Path to dictionary for password auditing.ENGINES_JSON_PATH: Configuration for supported database engines.
Using Docker (Recommended):
docker build -t registry/database-security-scanner .
docker run -p 8002:8002 --env-file .env registry/database-security-scannerThis starts the API and WebSocket server on port 8002.
This service exposes a native, lightweight /metrics endpoint returning Prometheus-formatted telemetry (such as uptime, memory, and CPU usage).
- Metrics Endpoint:
/metrics - Scraping Config: Configured with annotations
prometheus.io/scrape: "true"in the deployment manifest.
GitHub Actions workflow is located at .github/workflows/deploy.yml which triggers on push to main branch:
- Build Optimization: Uses
docker/setup-buildx-action@v3with layer caching enabled (cache-from: type=gha,cache-to: type=gha,mode=max). - Target Registry:
csecyber/database-security-scanner - Tags Generated: Dual tags for
:latestand the unique commit hash:${ github.sha }.