Since 0.65.0, repository credentials are leaked in RepoURL metadata of JSON report #9350

pdecat · 2025-08-18T15:54:30Z

pdecat
Aug 18, 2025

Description

Hi, I've just noticed that since 0.65.0, repository credentials are leaked in RepoURL metadata of JSON report when running trivy in our Gitlab CI environment:

This was introduced in #9252 to resolve #9255

Desired Behavior

Credentials should not be stored in generated report.

Actual Behavior

Credentials are stored in generated report.

Reproduction Steps

1. run trivy 0.65.0 in Gitlab CI

Target

Filesystem

Scanner

Secret

Output Format

JSON

Mode

Standalone

Debug Output

$ trivy fs --format json --output reports/trivy.json --scanners vuln,secret --severity CRITICAL,HIGH,MEDIUM,LOW --include-dev-deps .
2025-08-18T15:22:18Z	INFO	[vuln] Vulnerability scanning is enabled
2025-08-18T15:22:18Z	INFO	[secret] Secret scanning is enabled
2025-08-18T15:22:18Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-08-18T15:22:18Z	INFO	[secret] Please see also https://trivy.dev/v0.65/docs/scanner/secret#recommendation for faster secret detection
2025-08-18T15:22:18Z	INFO	Number of language-specific files	num=1
2025-08-18T15:22:18Z	INFO	[poetry] Detecting vulnerabilities...
2025-08-18T15:22:18Z	INFO	[vuln] Vulnerability scanning is enabled
2025-08-18T15:22:18Z	INFO	[secret] Secret scanning is enabled
2025-08-18T15:22:18Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-08-18T15:22:18Z	INFO	[secret] Please see also https://trivy.dev/v0.65/docs/scanner/secret#recommendation for faster secret detection
2025-08-18T15:22:18Z	INFO	Number of language-specific files	num=1
2025-08-18T15:22:18Z	INFO	[poetry] Detecting vulnerabilities...

Operating System

Linux

Version

$ trivy --version
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-23 06:29:29.039170399 +0000 UTC
  NextUpdate: 2025-07-24 06:29:29.039170269 +0000 UTC
  DownloadedAt: 2025-07-23 10:15:29.250585212 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

itaysk · 2025-08-20T13:32:49Z

itaysk
Aug 20, 2025
Maintainer

thanks, we will fix that

0 replies

DmitriyLewen · 2025-08-27T09:28:58Z

DmitriyLewen
Aug 27, 2025
Maintainer

Created #9390

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Since 0.65.0, repository credentials are leaked in RepoURL metadata of JSON report #9350

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Since 0.65.0, repository credentials are leaked in RepoURL metadata of JSON report #9350

Uh oh!

Uh oh!

pdecat Aug 18, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments

Uh oh!

itaysk Aug 20, 2025 Maintainer

Uh oh!

DmitriyLewen Aug 27, 2025 Maintainer

pdecat
Aug 18, 2025

itaysk
Aug 20, 2025
Maintainer

DmitriyLewen
Aug 27, 2025
Maintainer