demo(07-magic-connection-string): 07 — Hardcoded SQL connection string in Program.cs

[EricCogen]

07 — Hardcoded SQL connection string in Program.cs

Expected verdict: ❌ Fails — GauntletCI should fire GCI0010 (hardcoded connection string).

What changed

src/OrderService/Program.cs registers an order-database connection string
as a constant directly in code, instead of binding it from IConfiguration:

// Order-database connection — temporarily inlined while the
// secret-store wiring is being moved out of the legacy host.
const string ordersDbConnection =
    "Server=tcp:orders-db.internal;Database=Orders;Integrated Security=true;TrustServerCertificate=true";
builder.Services.AddSingleton(new OrdersDbConnectionString(ordersDbConnection));

The literal contains the canonical Server= connection-string marker,
which GauntletCI's GCI0010 rule recognises as an environment-coupled
configuration value baked into source.

Why this is risky

• A connection string in source ties the binary to one environment —
  promoting the same artefact to staging or production now requires a
  rebuild.
• Even when the literal carries no password (as here), the host name
  leaks internal infrastructure topology into every artifact and CI log.
• It removes the ability to rotate the endpoint without a code change,
  which is exactly what configuration is for.

What GauntletCI catches

GCI0010 Hardcoding and Configuration — string literal containing a
Server= connection-string marker added to a non-test file.

[github-actions]

GauntletCI found the following issues:

These findings reference lines outside the PR diff, so they appear here instead of inline. Expand each entry for full evidence, rationale, and suggested action.

GCI0010 — Hardcoding and Configuration (`src/OrderService/Program.cs`): Hardcoded connection string detected.

GCI0010 — Hardcoding and Configuration

Hardcoded connection string detected.

Evidence:

Line 27: "Server=tcp:orders-db.internal;Database=Orders;Integrated Security=true;TrustServerCertificate=true";

⚠️ Why it matters: Connection strings in source code expose credentials and prevent per-environment configuration.

💡 Suggested action: Use IConfiguration, Secret Manager, or environment variables for connection strings.

_{Confidence: High | Severity: Block}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cfa8177ea4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Load DB connection string from configuration

Hardcoding ordersDbConnection here bakes an environment-specific endpoint (Server=tcp:orders-db.internal) into the binary, so promoting the same build across dev/staging/prod requires code changes and rebuilds, and it exposes internal infrastructure details in source and logs. This should be bound from builder.Configuration (or a secrets provider) instead of a string literal in Program.cs.

Useful? React with 👍 / 👎.