<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=342539) </details> <!--IssueSummary end--> The following was picked up by secrets detection analyzer... It might make sense to rule out [invalid characters that can't be a URL](https://stackoverflow.com/a/13942629) in the URL rule. Here's an example with instructions for using a GitLab API: ```json { ... "id": "asdfdasfasd", "category": "secret_detection", "name": "Password in URL", "message": "Password in URL detected; please remove and revoke it if this is a leak.", "description": "Password in URL", "cve": "README.md:asdfdasdfas:Password in URL", "severity": "Critical", "confidence": "Unknown", "raw_source_code_extract": "https:///<name-of-your-token>:<your-actual-token>@gitlab.com/api/v4/projects/111111/packages/sample/sample", ... } ``` And another for GitHub.com initially reported in https://gitlab.com/gitlab-org/gitlab/-/issues/342539: ```json { "version": "14.0.0", "vulnerabilities": [ { "id": "<sha>", "category": "secret_detection", "name": "Password in URL", "message": "Password in URL detected; please remove and revoke it if this is a leak.", "description": "Password in URL", "cve": "README.md:<sha> in URL", "severity": "Critical", "confidence": "Unknown", "raw_source_code_extract": "https://<user>:<token>@github.com/<user>/<repo>` .", "scanner": { "id": "gitleaks", "name": "Gitleaks" }, "location": { "file": "README.md", "commit": { "date": "0001-01-01T00:00:00Z", "sha": "0000000" }, "start_line": 2412, "end_line": 2412 }, "identifiers": [ { "type": "gitleaks_rule_id", "name": "Gitleaks rule ID Password in URL", "value": "Password in URL" } ] } ] } ```