Feature Request - Don't trigger 'password in url' for python f strings
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Modify the secret in url detection regex to properly allow for python f strings.
See this issue.
Modify the detection regex so that it does not trigger on things like the below python sample:
x =f"mssql+pyodbc://{SQL_USER}:{SQL_PASS}@{SQL_SERVER}/{SQL_DB}?driver={SQL_DRIVER}"This is a simple sample of a python f string which performs simple variable substitution, but still triggers as a critical alert with the scanner believing it to be a hardcoded password in a url where as it is actually a safe way to construction a string.
I believe the relevant regex is here: https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml
with the correct filtering out of python f strings we would a reduction of thousands of false positives across our code base.