Grype has a credential disclosure vulnerability in its JSON output in github.com/anchore/grype
{ "url": "https://pkg.go.dev/vuln/GO-2025-4160", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2025-4160.json"