SAST misidentifies URLs with passwords

Summary

SAST sometimes misidentifies parameters as embedded passwords. For instance, I have Dockerfiles that pull from private pypi repos:

ARG JFROG_USER
ARG JFROG_PASS
ARG JFROG_HOST
RUN pip install --extra-index-url https://$JFROG_USER:$JFROG_PASS@$JFROG_URL/path/to/repo -r requirements.txt

This triggers the "Critical (Unknown): Password in URL in Dockerfile". But of course there is no password in that Dockerfile - it's just a parameter to pass a password through from a secure variable.

Steps to reproduce

Create an MR with a Dockerfile including the above example.

What is the current bug behavior?

Parameters are identified as passwords. Since this

What is the expected correct behavior?

Parameters are not flagged as passwords.

Output of checks

This bug happens on GitLab.com

Possible fixes

If a purported password begins with $ and appears in an ENV or ARG line, SAST shouldn't assume it's a password.

Disabling this check wouldn't be a good solution, since I'd still like to scan for hardcoded passwords. Accepting individual instances isn't good either, since developers will become accustomed to ignoring the finding.

/label ~sast /label feature