Git Credentials in URL
Detects embedded credentials (username:password) in Git repository URLs. Mirrors Snaffler rule KeepGitCredsByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the user:password@ URL structure is highly specific. The constraint on allowed characters in username and password fields (no whitespace, colon, slash, or @) tightly bounds the match. Corroborative evidence further reduces false positives.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
https?://[^\s:/@]{1,64}:[^\s:/@]{1,128}@[A-Za-z0-9.-]{1,255}Corroborative evidence keywords
github.com, gitlab, dev.azure.com, bitbucket, git-credentials
Proximity: 300 characters
Should match
https://alice:ghp_AbCd1234EfGh5678IjKl@github.com— Embedded credentials in git URLhttps://deploy:hunter2@gitlab.example.com— GitLab URL with passwordhttps://oauth2:glpat-xxxxxxxxxxxxxxxxxxxx@gitlab.com/group/repo.git— GitLab PAT in URL
Should not match
https://github.com/org/repo.git— No credentials embeddedhttps://example.com/page?ref=main— Query string, not credentials
Known false positives
- Service accounts or CI/CD pipeline logs that mask credentials with asterisks but retain URL structure. Mitigation: Check for placeholder patterns like asterisks or literal "password" in the credential field.
- Documentation examples showing URL format with placeholder credentials. Mitigation: Require proximity to git-specific hosting domains to reduce documentation false positives.