Merge branch 'sast-secret-note-password-in-url' into 'master'

Update application security sast secrets note See merge request gitlab-org/gitlab!24397

Merge branch 'sast-secret-note-password-in-url' into 'master'
Update application security sast secrets note See merge request gitlab-org/gitlab!24397
dda46613 · Achilleas Pipinellis · 3845c160 · 04c39afc · dda46613
Commit dda46613 authored Feb 06, 2020 by Achilleas Pipinellis
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +6 -0

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -454,6 +454,12 @@ CI/CD configuration file to turn it on. Results are available in the SAST report

 GitLab currently includes [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) checks.

+NOTE: **Note:**
+The secrets analyzer will ignore "Password in URL" vulnerabilities if the password begins
+with a dollar sign (`$`) as this likely indicates the password being used is an environment
+variable. For example, `https://username:$password@example.com/path/to/repo` will not be
+detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
+
 ## Security Dashboard

 The Security Dashboard is a good place to get an overview of all the security