trufflesecurity · AlexanderSanin · May 29, 2026
@@ -79,6 +79,14 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 			continue
 		}
 
+		// real tokens are random and always contain at least one digit;
+		// variable names like MAVEN_SETTINGS_PROFILE have no digits and
+		// are a common source of false positives when they appear within
+		// 40 characters of a "gitlab" keyword on a preceding line.
+		if !detectors.KeyIsRandom(resMatch) {
+			continue
+		}
+
 		for _, endpoint := range s.Endpoints() {
 			s1 := detectors.Result{
 				DetectorType: detector_typepb.DetectorType_Gitlab,

@@ -45,6 +45,16 @@ func TestGitLab_Pattern(t *testing.T) {
 			input: "GITLAB_TOKEN=ABc123456789dEFghIJK",
 			want:  []string{"ABc123456789dEFghIJKhttps://gitlab.com"},
 		},
+		{
+			// Regression test for https://github.com/trufflesecurity/trufflehog/issues/4756
+			// ARG variable names that appear after GITLAB_* args in a Dockerfile must not be
+			// flagged as secrets because they contain no digits (KeyIsRandom check).
+			name: "no false positive for Dockerfile ARG variable name after GITLAB_ACCESS_TOKEN",
+			input: `ARG GITLAB_ACCESS_TOKEN_TYPE=Private-Token
+ARG GITLAB_ACCESS_TOKEN
+ARG MAVEN_SETTINGS_PROFILE=test`,
+			want: []string{},
+		},
 	}
 
 	for _, test := range tests {