Update application security sast secrets note

04c39afc · Zach Rice · Achilleas Pipinellis · 043a8dd7 · 04c39afc
Commit 04c39afc authored Feb 06, 2020 by Zach Rice Committed by Achilleas Pipinellis Feb 06, 2020
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +6 -0

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -454,6 +454,12 @@ CI/CD configuration file to turn it on. Results are available in the SAST report

 GitLab currently includes [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) checks.

+NOTE: **Note:**
+The secrets analyzer will ignore "Password in URL" vulnerabilities if the password begins
+with a dollar sign (`$`) as this likely indicates the password being used is an environment
+variable. For example, `https://username:$password@example.com/path/to/repo` will not be
+detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
+
 ## Security Dashboard

 The Security Dashboard is a good place to get an overview of all the security