Problem to solve
Since today, our secret detection job started to fail. We use the Security/Secret-Detection.gitlab-ci.yml template.
- It reports two critical vulnerabilities: one saying a CI job token has been found, one that a URL containing this token has been found.
{
"version": "15.1.4",
"vulnerabilities": [
{
"id": "9ee53ef80a7ff86333b90d6a3123c0c1f3e9b72482ecbcca8ba501374ca588aa",
"category": "secret_detection",
"name": "GitLab CI/CD job token",
"description": "A GitLab CI/CD job token was identified. Job tokens are used to execute functionality in the context of a pipeline\njob. In most cases job tokens have limited privileges and can only be used to read from the repository where the\npipeline executes from. External projects can grant access to job tokens from other projects. A malicious actor has a\nlimited timeframe to use this token to attempt to access the repository.\n\nFor general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).\n\nBecause job tokens are short lived, there is no revocation process, it is no longer available after the job that created\nit completes.\n\nFor more details on exactly what a job token is allowed to access, please see [GitLabs documentation on job tokens](https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html).",
"cve": ".git/config:246f8863bc40289b02fc2c27aa584f0a9913b4c9a1cafd83080841fd47fdd7de:gitlab_ci_build_token",
"severity": "Critical",
"confidence": "Unknown",
"raw_source_code_extract": "glcbt-CANTSHOWTHATSORRY_BUT_ITS_TMP_TOKEN_ANYWAY",
"scanner": {
"id": "gitleaks",
"name": "Gitleaks"
},
"location": {
"file": ".git/config",
"commit": {
"sha": "0000000"
},
"start_line": 19
},
"identifiers": [
{
"type": "gitleaks_rule_id",
"name": "Gitleaks rule ID gitlab_ci_build_token",
"value": "gitlab_ci_build_token"
}
]
},
{
"id": "c7402a40c90a7476270cf7b5ae873b102fe22c61d7c41ad00f426ca2a46329a0",
"category": "secret_detection",
"name": "Password in URL",
"description": "Password in URL\n\nFor general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on\n[Credential exposure to the internet](https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#credential-exposure-to-public-internet).",
"cve": ".git/config:c5207237322587d6baf1388dba7f5bf889419737c4bf455915ccdad23484e63e:Password in URL",
"severity": "Critical",
"confidence": "Unknown",
"raw_source_code_extract": "https://gitlab-ci-token:glcbt-CANTSHOWTHATSORRY_BUT_ITS_TMP_TOKEN_ANYWAY@gitlab.com/MYREPO.git",
"scanner": {
"id": "gitleaks",
"name": "Gitleaks"
},
"location": {
"file": ".git/config",
"commit": {
"sha": "0000000"
},
"start_line": 19
},
"identifiers": [
{
"type": "gitleaks_rule_id",
"name": "Gitleaks rule ID Password in URL",
"value": "Password in URL"
}
]
}
],
"scan": {
"analyzer": {
"id": "secrets",
"name": "secrets",
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/secrets",
"vendor": {
"name": "GitLab"
},
"version": "7.10.0"
},
"scanner": {
"id": "gitleaks",
"name": "Gitleaks",
"url": "https://github.com/gitleaks/gitleaks",
"vendor": {
"name": "GitLab"
},
"version": "8.28.0"
},
"type": "secret_detection",
"start_time": "2025-08-06T04:08:55",
"end_time": "2025-08-06T04:09:03",
"status": "success"
}
}
Steps to reproduce
- with the current default template, it uses Gitlab Secrets Analyzer version 7.10.0 and reports the two critical vulnerabilities, where it should NOT. It seems to be two false positives.
- I have set
SECRETS_ANALYZER_VERSION: 7.9.0because that’s the version that was used yesterday. Here it does not report the two vulnerabilities
Configuration
- Nothing special
Versions
Please add an x whether options apply, and add the version information.
- Self-managed
-
GitLab.comSaaS - Dedicated
Versions
- GitLab (Web:
/helpor self-managed system informationsudo gitlab-rake gitlab:env:info):