Skip to content

Ensure No Users Have Wildcard Hostnames


Wildcards can be used when granting permissions to users on specific databases.


Avoiding the use of wildcards within hostnames helps control the specific locations from which a given user may connect to and interact with the database.

For example, granting privileges to '<user_name>'@'%' will allow <user_name> to connect to the database from any remote host.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isEmpty, isEmptyArray } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if none user has a wildcard hostname 
function validate(databaseSettings) {

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {

    // look for users with wildcard hostnames
    const wildcardHostNames = databaseSettings.users.filter(user => user.mysql && 
                                                        user.mysql.usersTableSnapshot &&
                                               === '%')

    success = isEmptyArray(wildcardHostNames)

  return {

// invoke