HTTP basic-auth credentials in URL
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An http(s):// URL embeds user:password basic-auth credentials. The password travels in the URL, which lands in logs, browser history, and referer headers.
Why it matters
An http(s):// URL with user:password basic-auth credentials leaks the password into logs, browser history, proxy records, and referer headers, because the whole URL travels with the request. It is committed here on top of that. Anyone who reads the repo gets the credential.
How to fix it
Send basic-auth credentials in an Authorization header built from environment variables, not in the URL. Read the values at runtime. Rotate the exposed credential with the service afterward.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo