Ignore Password in URL vulnerabilities if credentials are Env vars

What does this MR do?

This MR introduces a change that would reduce false positives on the Password in URL vulnerability. The change checks if a Password in URL vulnerability is present. If it is, then check if the password being used is prefixed by a common way to load environment variables in scripts, the $ character.

Note: this does not handle cases where you load env vars in from language with different syntax. example using golang:

u := fmt.Sprintf("https://%s:%s@www.example.com", os.Getenv("MY_USERNAME"), os.Getenv("MY_PASSWORD"))

What are the relevant issue numbers?

gitlab-org/gitlab#33285 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer