Second Brain

❯

❯

cleanup 2026 04 17 conversation flush bulk

❯

❯

❯

alembic ini db url secret scanner catches plaintext

alembic-ini-db-url-secret-scanner-catches-plaintext

Apr 17, 20261 min read

ops/security
ops/deploy
infra/database

alembic-ini-db-url-secret-scanner-catches-plaintext

Secret scanner (gitleaks/trufflehog) flags any dev DB URL in alembic.ini, even in plaintext sqlalchemy.url = lines with non-production credentials. Correct pattern: leave sqlalchemy.url blank in alembic.ini and read from RSAME_DATABASE_URL env var inside alembic env.py. The env.py already handles this — the ini field just must not contain the URL.

Related

alembic-ini-dev-db-url-triggers-secret-scanner
alembic-ini-db-url-blocks-commit-use-env-var
alembic-ini-hardcoded-db-url-triggers-secret-scanner
2026-04-04-oracle-001-self-architecture-analysis
jwt-refresh-token-rotation-must-be-atomic
git-secret-scanner-blocks-alembic-ini-db-url
alembic-ini-database-url-triggers-secret-scanner
alembic-ini-must-have-empty-db-url-use-env-var
alembic-ini-db-url-triggers-secret-scanner

Graph View

alembic-ini-db-url-secret-scanner-catches-plaintext
Related

Backlinks

alembic-ini-db-url-blocks-commit-use-env-var
alembic-ini-dev-db-url-triggers-secret-scanner
jwt-refresh-token-rotation-must-be-atomic
alembic-ini-database-url-triggers-secret-scanner
alembic-ini-db-url-triggers-secret-scanner
alembic-ini-hardcoded-db-url-triggers-secret-scanner
alembic-ini-must-have-empty-db-url-use-env-var
git-secret-scanner-blocks-alembic-ini-db-url

Created with Quartz v4.5.2 © 2026

CIOS
Mission Control