This post was originally published on this site

Credentials are an essential part of modern software development and deployment, granting bearers privileged access to systems, applications, and data. However, credential-related vulnerabilities remain the predominant entry point exploited by threat actors in the cloud.

Stolen credentials “are now the second-highest initial infection vector, making up 16% of our investigations,” said Jurgen Kutscher, vice-president, Mandiant Consulting, in his summary of our M-Trends 2025 report

Ensuring the safe management of these credentials is a vital task. Developers may accidentally include credentials in artifacts like source code, built software packages, or Docker images. If these credentials fall into the wrong hands, they can be used by malicious actors for data exfiltration, cryptojacking, ransomware attacks, and general resource abuse. 

Safeguarding credentials is particularly acute for open-source developers because when a credential is accidentally included in an artifact that is pushed to a public repository (like GitHub, PyPI or DockerHub), that credential becomes available to anyone on the Internet. 

To address this critical issue, we’ve developed a powerful tool to scan open-source package and image files by default for leaked Google Cloud credentials to help protect Google Cloud customers who publish open-source artifacts. Created by Google’s deps.dev team in collaboration with Google Cloud’s credential protection team, we’ve seen significant results in identifying and reporting exposed credentials like API keys, service account keys, and OAuth client secrets in historical artifacts. 

While this effort has initially focused on Google Cloud credentials, we plan to expand scanning to include third-party credentials later this year.

Beyond retrospective reporting, the tool also scans newly published open-source artifacts for leaked credentials. This pivotal advance can help drive remediation for immediate security breach threats, significantly reducing the risk of developer compromise. 

The tool can also cultivate a culture of improved security by effectively shifting security to earlier in the development lifecycle when problems are easier to solve. By shifting left and encouraging earlier security awareness, the tool can help foster improved credential management practices in the open-source community, ultimately strengthening the resilience and security of the entire software supply chain.

aside_block
<ListValue: [StructValue([('title', '$300 in free credit to try Google Cloud security products'), ('body', ), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>

Understanding the dangers of exposed cloud credentials

Exposed credentials present a serious security risk to cloud users because they allow an individual to gain access to a user’s cloud environment, including their resources, applications and managed user data. A malicious actor can exploit this access for nefarious purposes such as data theft, cryptojacking, ransomware attacks, and general resource abuse which can result in severe financial, reputational, and operational damage. 

Once a credential is obtained by malicious actors it should be considered permanently compromised because compromised credentials are easily copied and shared.

Open source developers, while contributing to the collaborative ecosystem, face the risk of inadvertently exposing sensitive credentials. While source code repository hosts like GitHub and GitLab already scan public source code (and, in some cases, package repositories) for exposed credentials, the challenge extends significantly beyond source code. 

Built packages and Docker images often include configuration, compiled binaries, and build scripts, all potential sources of leaked credentials. Publishing these artifacts on open-source repositories like Maven Central, PyPI, or DockerHub can expose leaked credentials to exploitation by any individual on the internet. The ease and speed with which open-source artifacts are shared and distributed magnifies the potential damage, making strong credential management and proactive leak detection and remediation critical.

How to scan open source code for credentials

The deps.dev team provides services to help developers better understand the structure, construction, and security of open-source software. The team maintains and analyzes a continuously updated corpus of over 5 billion unique files, across hundreds of millions of open-source software artifacts like source code repositories, software packages and Docker containers. 

The pipeline to support this corpus automatically ingests hundreds of millions of public artifacts from a variety of open source repositories. These include package managers (such as npm, Maven Central, PyPI,) source code repository hosts (such as GitHub and GitLab) and Docker images.

image1

Once artifacts are ingested, they undergo a comprehensive decomposition process, which extracts all constituent parts: every file at every commit in a Git repository, every unarchived or unzipped file in a software package, and every file in every individual layer of a Docker image — not just the files in the final image filesystem. These files are then analyzed which includes scanning them for exposed Google Cloud credentials. 

When a suspected Google Cloud credential is detected, the credential reporting backend immediately alerts the credential protection program. Since its creation, we’ve observed this system detect and remediate leaked credentials in minutes of their publication, matching or exceeding the speed with which malicious actors have been demonstrated to exploit them.

Credential containment and recovery

We’ve set up a web endpoint so vetted Google Cloud users and security researchers can submit suspected exposed credentials for review.Once a submitter’s identity is validated, the Google Cloud credential protection system proceeds to confirm the validity of the reported credentials. If the credential is confirmed to be active, Google Cloud provides immediate customer notification through multiple channels, including email, telemetry logs, and in-product alerts. 

Google Cloud may take automated remediation steps to mitigate potential damage in accordance with customer configurable policy, such as disabling affected service account keys.

What’s next?

We are actively working to further secure open source communities and protect Google Cloud customers alike by taking a proactive approach to credential exposure. Our efforts in this area include several key initiatives:

  • Broadening the scope of credential scanning: We’re expanding the range of credential types the tool can scan for, which can help protect more organizations and developers.

  • Increasing open-source coverage: We’re scanning more open-source platforms and repositories to discover exposed credentials, which can help mitigate risks across more of the ecosystem.

  • Empowering open-source communities with preventative measures: We’re developing and offering tools that allow open-source communities to integrate credential exposure checks directly into their publish workflow, which can help prevent credential leaks before they happen.

By focusing on both detection and prevention, we aim to foster a more secure and resilient open source environment. To report exposed Google Cloud credentials, please contact gcp-credentials-reports@google.com. If you are a credential provider and would like to talk about partnering with us to scan for your credentials, please contact depsdev@google.com.