ruoji6/database_scan

This is a Go command-line tool that scans a database looking for sensitive personal information. The intended use is on development databases, where the operator wants to find out whether real production data, such as Chinese national ID numbers, mobile phone numbers, addresses, account names, passwords, email addresses, bank card numbers, or API tokens and secrets, has leaked into the dev environment. A wide range of database engines are supported out of the box. Native drivers exist for MySQL, MariaDB, MSSQL, PostgreSQL, Oracle, and Redis. Any MySQL protocol compatible database such as TiDB, OceanBase, PolarDB-MySQL, Doris, StarRocks, and GBase-MySQL also works, and so does any PostgreSQL protocol compatible database such as OpenGauss, GaussDB, Kingbase, Highgo, and PolarDB-Postgres. The tool can reach these databases directly or through a SOCKS5 or HTTP CONNECT proxy. There are four detection modes selected with --mode. Field-content is the default and first locates likely sensitive columns by their table and column names, then scans the contents of those columns. Field-name only checks the names. Content scans every column's data without name hints. All runs everything. There are also four severity levels: high covers ID numbers, passwords, secrets, and bank cards; medium covers phone numbers and emails; low covers addresses and account names; and all runs every level. Results come out either as a colored terminal table or as an Excel file with one sheet per matched table, where the top half lists the flagged columns and the bottom half shows sample rows. Sample values can be masked with --mask. A --fscan flag tells the tool to read a result file produced by the fscan network scanner, pull database credentials from it, and run the sensitive-data scan against every host that fscan found. Both fscan v2.1.2 and 1.8.4 output formats are supported. Other useful flags include --sql for running a custom SQL query, --workers to scan tables in parallel, --limit to cap the number of sample rows per table, --timeout for per-query timeout, --include-system to also scan system schemas, --no-color and --no-banner for clean output suitable for reports, and --table to restrict scanning to one specific table. Passwords can be omitted on the command line so the tool prompts for hidden input, keeping them out of shell history.