What Is database_scan?
database_scan is a Go-based database security CLI built by RuoJi6 that inspects live databases for sensitive data such as phone numbers, ID cards, addresses, usernames, passwords, email addresses, bank cards, tokens, and secrets. It is one of the best Database Security CLI Tools for security engineers, DBAs, and platform teams auditing live databases, with native support for 9 database types plus protocol-compatible MySQL and PostgreSQL variants, and it prints terminal tables by default for fast triage.
The tool is opinionated toward evidence collection, not just schema inspection. It can return connecting details, table-grouped sensitive fields, hit counts, and representative row samples so you can prove exposure quickly without hand-writing ad hoc SQL.
Quick Overview
| Attribute | Details |
|---|---|
| Type | Database Security CLI Tools |
| Best For | Security engineers, DBAs, and platform teams auditing live databases |
| Language/Stack | Go; native database drivers; MySQL/PostgreSQL protocol compatibility; Redis SCAN; Excel export |
| License | N/A |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | N/A |
The design goal is simple: connect, classify, sample, and export. That keeps the output useful for both an interactive terminal review and a ticket, incident report, or audit artifact.
Who Should Use database_scan?
- Security engineers validating whether internal databases contain PII, credentials, or secrets before an audit or incident report.
- DBAs and data platform teams managing mixed fleets that include MySQL, PostgreSQL, MSSQL, Oracle, Redis, and protocol-compatible vendors.
- Incident responders checking a compromised database snapshot for exposed rows, leaked tokens, or sensitive columns with concrete sample values.
- Indie hackers and small SaaS teams who need a fast database scan before shipping a release or sharing a staging clone with contractors.
Not ideal for:
- Teams that want passive, always-on monitoring; database_scan is an on-demand scanner, not a background DLP system.
- Environments that depend on unsupported engines such as DM, GBase 8s, or other databases that need specialized CGO/ODBC stacks.
- Operators who cannot expose sample values in any form; database_scan can print real rows unless you add
--mask.
Key Features of database_scan
- Multi-engine protocol coverage — database_scan connects to MySQL, MariaDB, TiDB, MSSQL, PostgreSQL, Oracle, Redis, and several protocol-compatible vendors. That matters because the same audit workflow can cover common OSS stacks and commercial appliances without switching tools.
- Four scan modes —
field-content,field-name,content, andalllet you choose between fast schema-based detection and deeper value inspection.field-contentis the pragmatic default when you want name heuristics plus real payload evidence. - Severity filtering —
high,medium,low, andallmap the scan to a risk model that separates passwords, secrets, and bank cards from lower-sensitivity fields like names and addresses. This is useful when you want to shrink noise during a time-boxed incident review. - Proxy-aware connectivity — direct connections,
SOCKS5, andHTTP CONNECTare supported, including authenticated proxies. That makes the tool usable from jump hosts, bastions, and segmented lab networks without rewriting the network path. - Redis-aware scanning — database_scan enumerates keys with
SCANand readsstring,hash,list,set, andzsetvalues for samples. It also emits a Redis-specific output structure withTarget,DB,Key,Type,TTL,Path/Field,Value,命中类型,敏感级别, and判断依据. - Excel export with coloring — the
--outputflag writes results into.xlsxfiles, with one sheet per hit table and color markers for sensitive fields and values. That is better than copying a terminal buffer into a ticket when you need a reviewable artifact. - fscan result ingestion —
--fscanparsesfscanv2.1.2and1.8.4database credentials and then connects to every hit automatically. This is the closest thing to a batch mode for recon-to-audit workflows.
If your workflow already uses djevops for deployment hygiene or DataHaven for data governance, database_scan fits as the discovery layer that produces the evidence those systems can track.
database_scan vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| database_scan | Auditing live databases for PII, secrets, and risky sample values | Scans schema and content across SQL engines plus Redis, then exports evidence | Open-Source |
| sqlmap | Web app SQL injection testing | Exploit-oriented rather than data-audit-oriented | Open-Source |
| DBeaver | Manual database browsing and ad hoc querying | GUI-first workflow with broad database support | Freemium |
| Gitleaks | Secrets detection in code and CI pipelines | Finds secrets before they ever reach a database | Open-Source |
Pick sqlmap when the question is whether a web endpoint is injectable, not whether an already-available database contains sensitive rows. Pick DBeaver when you want a GUI for manual investigation and ad hoc SQL, and pick Gitleaks when the problem is secrets in source control or build artifacts instead of stored data.
For teams that want surrounding automation, djevops is a better companion for deployment checks, while DataHaven makes more sense if you need a governed place to store and review the exported scan files.
How database_scan Works
database_scan uses a metadata-first scanning model. It opens a database connection, enumerates schemas, tables, and columns, then applies keyword and content heuristics to decide which fields deserve inspection. The key abstraction is simple: inspect structure first, then fetch bounded samples only from the columns or rows that match the rule set.
The tool also keeps the protocol layer practical. MySQL-compatible databases reuse the MySQL connection path, PostgreSQL-compatible databases reuse the PostgreSQL path, and Redis uses key enumeration plus type-specific reads instead of pretending that key/value storage looks like SQL. That matters because the same binary can handle heterogeneous estates without forcing a separate agent per database family.
./database_scan --type postgres --host 127.0.0.1 --port 5432 --user dev --password pass --mode field-content --level all --limit 10
That command connects to PostgreSQL, searches for sensitive fields and values, and caps the number of sample rows per hit table at 10. Expect terminal tables first, then Excel output if you add --output result.xlsx, and expect --workers to increase table-level concurrency without changing the underlying query semantics.
The database_scan tutorial flow is deliberately linear: connect, classify, sample, export. The --timeout flag limits each query, the --mask flag hides sample values, and --no-color makes the output easier to paste into tickets or logs.
Pros and Cons of database_scan
Pros:
- Covers a wide range of SQL databases plus Redis, which reduces the need for separate one-off scanners.
- Returns real sample values, row counts, and grouped hits, so the output is suitable for audits and incident evidence.
- Supports proxying, hidden password input, and
--no-color, which helps in restricted or shared terminal environments. - Exports to Excel with per-table sheets, which is practical for compliance reviews and management reporting.
- Can ingest
fscanresults and fan out across many discovered credentials, which saves time during post-recon triage. - Supports concurrency with
--workers, making larger estates more manageable without changing the command shape.
Cons:
- It is a scanner, not a continuous monitoring system, so it does not replace database auditing or DLP infrastructure.
- Some specialized databases are intentionally unsupported because they need extra driver stacks or break portable builds.
- Raw sample values are visible by default, so careless use on sensitive environments can create new exposure if you do not add
--mask. - The page text does not list a formal license or release train, so governance-heavy teams need to verify repository metadata before adopting it.
- It is credential-driven, which means it will not help if you only have network access and no valid database login.
Getting Started with database_scan
The fastest path is to clone the repository, build the Go binary, and run a local scan against a test database. That gets you from source to first evidence in a few commands.
git clone https://github.com/RuoJi6/database_scan.git
cd database_scan
go build -o database_scan ./cmd/database_scan
./database_scan --type mysql --host 127.0.0.1 --port 3306 --user root
If you omit --password, database_scan prompts for hidden input, which keeps the credential out of shell history. Add --output result.xlsx when you want a file artifact, and add --mask when the terminal is visible to other people.
For Redis, specify the instance and optional database number with --database, and for multi-host recon workflows use --fscan result.txt --workers 4 to batch through discovered credentials. The first run usually needs only a valid login and the right database type flag.
Verdict
database_scan is the strongest option for credentialed internal database audits when you need human-readable evidence instead of passive monitoring. Its best strength is broad protocol coverage with real sample values; its main caveat is that it can expose sensitive rows unless you enable masking. Use it when you want fast triage and exportable proof, and skip it when you need always-on controls.
