Installation

Open Claude Code and run this command:

/plugin install database-security-scanner@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Database plugin for database-security-scanner

Features

Database best practices
Multi-database support
Production-ready implementations
Comprehensive documentation

Skills (1)

scanning-database-security SKILL.md View full skill →

Process use when you need to work with security and compliance.

ReadWriteEditGrepGlobBash(psql:*)Bash(mysql:*)Bash(mongosh:*)

Database Security Scanner

Overview

Audit database security configurations, user privileges, network exposure, and data protection controls for PostgreSQL, MySQL, and MongoDB. This skill scans for common vulnerabilities including excessive privileges, missing encryption, default passwords, exposed network ports, unpatched versions, and SQL injection vectors in application code.

Prerequisites

Database admin credentials for querying system catalogs and security settings
psql, mysql, or mongosh CLI tools installed
Access to database configuration files (postgresql.conf, pg_hba.conf, my.cnf, mongod.conf)
Application source code access for SQL injection scanning (using Grep/Glob tools)
Knowledge of applicable compliance frameworks (SOC 2, HIPAA, PCI-DSS, GDPR)

Instructions

Check authentication configuration by reviewing pghba.conf (PostgreSQL) or mysql.user table. Flag any entries using trust authentication, allowing connections without passwords. Verify passwordencryption = scram-sha-256 (not md5) in PostgreSQL.

Audit user privileges by querying role memberships and grants:

PostgreSQL: SELECT r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole, r.rolcreatedb FROM pg_roles r WHERE r.rolcanlogin = true
MySQL: SELECT user, host, Superpriv, Grantpriv, File_priv FROM mysql.user
Flag users with superuser/SUPER privilege, excessive grants, or GRANT OPTION

Scan for default or weak credentials. Check for accounts with no password: PostgreSQL SELECT rolname FROM pg_roles WHERE rolpassword IS NULL AND rolcanlogin = true. Check for well-known default accounts (postgres with default password, root without password, admin/admin).

Verify network security:

Check listen_addresses in postgresql.conf (should not be * in production without firewall)
Verify SSL/TLS is enforced: SHOW ssl should return on; pg_hba.conf should use hostssl instead of host
Confirm database port is not exposed to the public internet

Check encryption at rest:

Verify tablespace encryption or volume-level encryption is enabled
Scan for sensitive data stored in plaintext: SELECT columnname, datatype FROM informationschema.columns WHERE columnname ILIKE '%password%' OR columnname ILIKE '%ssn%' OR columnname ILIKE '%credit_card%'
Flag columns storing PII without encryption or hashing

Scan application source code for SQL injection vuln

How It Works


/security-scanner

database-security-scanner

Installation

What It Does

Features

Skills (1)

Database Security Scanner

Overview

Prerequisites

Instructions

How It Works

Ready to use database-security-scanner?

Related Plugins

database-security-scanner

Installation

What It Does

Features

Skills (1)

Database Security Scanner

Overview

Prerequisites

Instructions

How It Works

Ready to use database-security-scanner?

Related Plugins

data-seeder-generator

data-validation-engine

database-archival-system

database-audit-logger

database-backup-automator

database-cache-layer