diff --git a/lib/logger/__snapshots__/err-serializer.spec.ts.snap b/lib/logger/__snapshots__/err-serializer.spec.ts.snap
index 2c9fa5a88cec101017bf87afe14981528cee293c..864e79bd04ede1ed1c2ab0195cfda3a3c9ace6d1 100644
--- a/lib/logger/__snapshots__/err-serializer.spec.ts.snap
+++ b/lib/logger/__snapshots__/err-serializer.spec.ts.snap
@@ -15,7 +15,7 @@ Object {
     "http2": false,
     "method": "POST",
     "password": "***********",
-    "url": "https://:**redacted**@github.com/api",
+    "url": "https://**redacted**@github.com/api",
     "username": "",
   },
   "response": Object {
diff --git a/lib/logger/err-serializer.spec.ts b/lib/logger/err-serializer.spec.ts
index 75d0b6b371c72b45a06a4a7ca6c301fa2a42a7c6..1021746d822289b0de186466cceca0e9e5c6498a 100644
--- a/lib/logger/err-serializer.spec.ts
+++ b/lib/logger/err-serializer.spec.ts
@@ -106,7 +106,7 @@ describe('logger/err-serializer', () => {
         options: {
           method: 'POST',
           password: '***********',
-          url: 'https://:**redacted**@github.com/api',
+          url: 'https://**redacted**@github.com/api',
           username: '',
         },
       });
diff --git a/lib/logger/utils.spec.ts b/lib/logger/utils.spec.ts
index ad2af427f998815bc2452ad97e012332522ba903..3915857bc42258a7dea559166f5611863c7f9e6f 100644
--- a/lib/logger/utils.spec.ts
+++ b/lib/logger/utils.spec.ts
@@ -1,4 +1,4 @@
-import { validateLogLevel } from './utils';
+import { sanitizeValue, validateLogLevel } from './utils';
 
 describe('logger/utils', () => {
   afterEach(() => {
@@ -30,4 +30,17 @@ describe('logger/utils', () => {
     }).toThrow();
     expect(mockExit).toHaveBeenCalledWith(1);
   });
+
+  it.each`
+    input                                                                 | output
+    ${' https://somepw@domain.com/gitlab/org/repo?go-get'}                | ${' https://**redacted**@domain.com/gitlab/org/repo?go-get'}
+    ${'https://someuser:somepw@domain.com'}                               | ${'https://**redacted**@domain.com'}
+    ${'https://someuser:@domain.com'}                                     | ${'https://**redacted**@domain.com'}
+    ${'redis://:somepw@172.32.11.71:6379/0'}                              | ${'redis://**redacted**@172.32.11.71:6379/0'}
+    ${'some text with\r\n url: https://somepw@domain.com\nand some more'} | ${'some text with\r\n url: https://**redacted**@domain.com\nand some more'}
+    ${'[git://domain.com](git://pw@domain.com)'}                          | ${'[git://domain.com](git://**redacted**@domain.com)'}
+    ${'user@domain.com'}                                                  | ${'user@domain.com'}
+  `('sanitizeValue("$input") == "$output"', ({ input, output }) => {
+    expect(sanitizeValue(input)).toBe(output);
+  });
 });
diff --git a/lib/logger/utils.ts b/lib/logger/utils.ts
index a8541c65746bf6fb012dd8421f1736ae086bcfe3..d797fbe59a3469aaebef18a012b50455fe0e3f05 100644
--- a/lib/logger/utils.ts
+++ b/lib/logger/utils.ts
@@ -103,7 +103,7 @@ export function sanitizeValue(
   seen = new WeakMap<NestedValue, unknown>()
 ): any {
   if (is.string(value)) {
-    return sanitize(value);
+    return sanitize(sanitizeUrls(value));
   }
 
   if (is.date(value)) {
@@ -243,3 +243,13 @@ export function validateLogLevel(logLevelToCheck: string | undefined): void {
   logger.fatal(`${logLevelToCheck} is not a valid log level. terminating...`);
   process.exit(1);
 }
+
+// Can't use `util/regex` because of circular reference to logger
+const urlRe = /[a-z]{3,9}:\/\/[-;:&=+$,\w]+@[a-z0-9.-]+/gi;
+const urlCredRe = /\/\/[^@]+@/g;
+
+export function sanitizeUrls(text: string): string {
+  return text.replace(urlRe, (url) => {
+    return url.replace(urlCredRe, '//**redacted**@');
+  });
+}