Secrets analyzer false positive with password url detection

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Secrets analyser with gitleaks detects some false positive since v.3.24.0

Steps to reproduce

Add SwaggerUI js/css bundle to your project
Run a pipeline to detect secrets
See job result

Example Project

Example available here : https://gitlab.com/qdesbin/example-secret-analyzer-false-positif-swagger-ui/-/jobs/2017271069

What is the current bug behavior?

This issue is to provide example of false positive detected in order to adapt/correct the regex for the analyzer

What is the expected correct behavior?

Don't detect "password in URL" in this case

Relevant logs and/or screenshots

N/A

Output of checks

Tested and reproduced on Gitlab.com with shared runners

Results of GitLab environment info

N/A

Results of GitLab application Check

N/A

Possible fixes

Adapt the regex : https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/v3.24.3/gitleaks.toml#L143
Ignore some explicit files in CI (already available)

Edited Jul 01, 2025 by 🤖 GitLab Bot 🤖