GitLab detector false positives for Docker arguments

[acdha]

The GitLab secrets detector seems to trigger on any use of MAVEN_SETTINGS_PROFILE in a Dockerfile.

TruffleHog Version

trufflehog 3.93.4

Trace Output

n/a

Expected Behavior

Trufflehog does not report a false-positive.

Actual Behavior

Found unverified result 🐷🔑❓
(Verification info cached)
Detector Type: Gitlab
Decoder Type: PLAIN
Raw result: MAVEN_SETTINGS_PROFILE
Rotation_guide: https://howtorotate.com/docs/tutorials/gitlab/
Version: 1
File: search/Dockerfile
Line: 12

Steps to Reproduce

Create a Dockerfile with the following contents:

FROM scratch
ARG GITLAB_ACCESS_TOKEN_TYPE=Private-Token
ARG GITLAB_ACCESS_TOKEN
ARG MAVEN_SETTINGS_PROFILE=test

Having either GITLAB_ACCESS_TOKEN or GITLAB_ACCESS_TOKEN_TYPE present in the file will cause the next line to be reported as a false-positive.

Environment

n/a

Additional Context

References

[shahzadhaider1]

Thanks for the detailed report!

You’ve identified a false positive caused by the GitLab detector’s proximity matching: the keyword gitlab appears on one line (GITLAB_ACCESS_TOKEN), and the next line’s MAVEN_SETTINGS_PROFILE, which unfortunately matches the token pattern of GitLab (20‑22 characters with underscores). The detector then flags it.

Quick workarounds

• Rename the variable to break the length pattern, e.g., MAVEN_PROFILE (shorter) or MAVEN_SETTINGS_PROFILE_ (longer).
• Exclude the file from filesystem scans using --exclude-paths:
  • Create a file exclude.txt and add all the paths separated by newline that need to be excluded, and then add the following to your command:

    --exclude-paths exclude.txt
    

We appreciate you bringing this to our attention. It helps make TruffleHog better. If you’d like to contribute a fix to the detector, we’re happy to guide you. Otherwise, we’ll keep this open as an enhancement.