Cloud Blog: How Google Cloud is securing open-source credentials at scale

Jun 16, 2025

—

Source URL: https://cloud.google.com/blog/products/identity-security/securing-open-source-credentials-at-scale/
Source: Cloud Blog
Title: How Google Cloud is securing open-source credentials at scale

Feedly Summary: Credentials are an essential part of modern software development and deployment, granting bearers privileged access to systems, applications, and data. However, credential-related vulnerabilities remain the predominant entry point exploited by threat actors in the cloud.
Stolen credentials “are now the second-highest initial infection vector, making up 16% of our investigations,” said Jurgen Kutscher, vice-president, Mandiant Consulting, in his summary of our M-Trends 2025 report.
Ensuring the safe management of these credentials is a vital task. Developers may accidentally include credentials in artifacts like source code, built software packages, or Docker images. If these credentials fall into the wrong hands, they can be used by malicious actors for data exfiltration, cryptojacking, ransomware attacks, and general resource abuse.
Safeguarding credentials is particularly acute for open-source developers because when a credential is accidentally included in an artifact that is pushed to a public repository (like GitHub, PyPI or DockerHub), that credential becomes available to anyone on the Internet.
To address this critical issue, we’ve developed a powerful tool to scan open-source package and image files by default for leaked Google Cloud credentials to help protect Google Cloud customers who publish open-source artifacts. Created by Google’s deps.dev team in collaboration with Google Cloud’s credential protection team, we’ve seen significant results in identifying and reporting exposed credentials like API keys, service account keys, and OAuth client secrets in historical artifacts.
While this effort has initially focused on Google Cloud credentials, we plan to expand scanning to include third-party credentials later this year.
Beyond retrospective reporting, the tool also scans newly published open-source artifacts for leaked credentials. This pivotal advance can help drive remediation for immediate security breach threats, significantly reducing the risk of developer compromise.
The tool can also cultivate a culture of improved security by effectively shifting security to earlier in the development lifecycle when problems are easier to solve. By shifting left and encouraging earlier security awareness, the tool can help foster improved credential management practices in the open-source community, ultimately strengthening the resilience and security of the entire software supply chain.

aside_block
), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>

Understanding the dangers of exposed cloud credentials
Exposed credentials present a serious security risk to cloud users because they allow an individual to gain access to a user’s cloud environment, including their resources, applications and managed user data. A malicious actor can exploit this access for nefarious purposes such as data theft, cryptojacking, ransomware attacks, and general resource abuse which can result in severe financial, reputational, and operational damage.
Once a credential is obtained by malicious actors it should be considered permanently compromised because compromised credentials are easily copied and shared.
Open source developers, while contributing to the collaborative ecosystem, face the risk of inadvertently exposing sensitive credentials. While source code repository hosts like GitHub and GitLab already scan public source code (and, in some cases, package repositories) for exposed credentials, the challenge extends significantly beyond source code.
Built packages and Docker images often include configuration, compiled binaries, and build scripts, all potential sources of leaked credentials. Publishing these artifacts on open-source repositories like Maven Central, PyPI, or DockerHub can expose leaked credentials to exploitation by any individual on the internet. The ease and speed with which open-source artifacts are shared and distributed magnifies the potential damage, making strong credential management and proactive leak detection and remediation critical.
How to scan open source code for credentials
The deps.dev team provides services to help developers better understand the structure, construction, and security of open-source software. The team maintains and analyzes a continuously updated corpus of over 5 billion unique files, across hundreds of millions of open-source software artifacts like source code repositories, software packages and Docker containers.
The pipeline to support this corpus automatically ingests hundreds of millions of public artifacts from a variety of open source repositories. These include package managers (such as npm, Maven Central, PyPI,) source code repository hosts (such as GitHub and GitLab) and Docker images.

Once artifacts are ingested, they undergo a comprehensive decomposition process, which extracts all constituent parts: every file at every commit in a Git repository, every unarchived or unzipped file in a software package, and every file in every individual layer of a Docker image — not just the files in the final image filesystem. These files are then analyzed which includes scanning them for exposed Google Cloud credentials.
When a suspected Google Cloud credential is detected, the credential reporting backend immediately alerts the credential protection program. Since its creation, we’ve observed this system detect and remediate leaked credentials in minutes of their publication, matching or exceeding the speed with which malicious actors have been demonstrated to exploit them.
Credential containment and recovery
We’ve set up a web endpoint so vetted Google Cloud users and security researchers can submit suspected exposed credentials for review.Once a submitter’s identity is validated, the Google Cloud credential protection system proceeds to confirm the validity of the reported credentials. If the credential is confirmed to be active, Google Cloud provides immediate customer notification through multiple channels, including email, telemetry logs, and in-product alerts.
Google Cloud may take automated remediation steps to mitigate potential damage in accordance with customer configurable policy, such as disabling affected service account keys.
What’s next?
We are actively working to further secure open source communities and protect Google Cloud customers alike by taking a proactive approach to credential exposure. Our efforts in this area include several key initiatives:

Broadening the scope of credential scanning: We’re expanding the range of credential types the tool can scan for, which can help protect more organizations and developers.

Increasing open-source coverage: We’re scanning more open-source platforms and repositories to discover exposed credentials, which can help mitigate risks across more of the ecosystem.

Empowering open-source communities with preventative measures: We’re developing and offering tools that allow open-source communities to integrate credential exposure checks directly into their publish workflow, which can help prevent credential leaks before they happen.

By focusing on both detection and prevention, we aim to foster a more secure and resilient open source environment. To report exposed Google Cloud credentials, please contact gcp-credentials-reports@google.com. If you are a credential provider and would like to talk about partnering with us to scan for your credentials, please contact depsdev@google.com.

AI Summary and Description: Yes

Summary: The text discusses the significant risks associated with credential exposure in cloud environments, particularly within the open-source community. It highlights the development of a tool by Google to detect and remediate leaked Google Cloud credentials in open-source artifacts, aiming to improve security practices and mitigate threats like data theft and ransomware.

Detailed Description:
The text emphasizes the critical importance of securely managing credentials in software development and deployment, noting that credential-related vulnerabilities are the leading entry points for threat actors in cloud environments. Key points include:

– **Credential Vulnerabilities**: Stolen credentials are a major security concern, representing the second-highest initial infection vector (16%) according to Mandiant’s M-Trends 2025 report.
– **Risks of Exposure**: When credentials are accidentally included in open-source artifacts (e.g., code repositories, Docker images), they become accessible to anyone online, leading to potential exploitation by malicious actors for activities like data exfiltration and ransomware attacks.
– **Tool Development**: Google has developed a tool to scan open-source package and image files for leaked Google Cloud credentials. This tool is designed to:
– Identify exposed credentials, including API keys and service account keys, in both historical and newly published artifacts.
– Help drive immediate remediation efforts to address security threats.
– Cultivate a culture of security awareness in the development lifecycle, shifting security considerations earlier in the process.

– **Scanning Process**: The deps.dev team has created a comprehensive system to scan open-source software artifacts. This involves:
– Continuously ingesting and analyzing files from over 5 billion unique artifacts across multiple open-source repositories.
– Applying sophisticated decomposition processes to assess every component of a software package or Docker image.
– Rapidly detecting and reporting suspected credential leaks to mitigate the risk of exploitation.

– **Credential Containment and Recovery**: The system allows vetted users to report suspected exposed credentials, enabling Google Cloud to validate and notify users about potentially compromised credentials. Automated remediation steps may also be taken to limit damage.

– **Future Initiatives**: Google plans to broaden its credential scanning scope, increase coverage of open-source platforms, and empower communities to prevent credential leaks.

This initiative addresses the critical need for enhanced credential management and security within the open-source community, ultimately aiming to protect cloud users from the detrimental consequences associated with credential exposure. By focusing on both detection and prevention, Google seeks to foster a more secure ecosystem in cloud computing and software development.

1 2 2025 5 a abuse access account Act addresses AGI AI alerts and anti API API keys app Application applications Arch art as attack attacks Auto automated remediation aware awareness backend beyond Bi binaries breach building built by C CERN chain channels CI CIA client Cloud cloud computing Cloud credentials cloud environment cloud environments co code code repositories Col collaboration collaborative collaborative ecosystem commit community composition compromised compromised credentials Computing Configuration Console construction container containers containment coverage creation credential credential exposure credential leaks credential management credential management practices credential vulnerabilities credentials critical cross Crypto cryptojacking culture Customer customer notification D data data exfiltration data theft de demo deployment design detection developer developers development development lifecycle Docker Docker container Docker Containers docker images drive dual e ecosystem effective email end endpoint Entra Entry environment event exfiltration exp exploit Exploitation face fact fault file financial focused for free future g Gen general git Git repository GitHub GitLab Go Google Google Cloud gs H hands high Highlight HR http HTTPS identity image image files in initiatives inter intern internet investigation investigations io Iron issue ite J jack Just k Key keys l Labor leading leaked credentials led Li life logs low M making malicious actors man management management practices managers Mandiant measures media Mode Modern modern software development multi N new next no non npm o OAuth of off on one open open source code open source communities open-source open-source software operation OPM organization organizations ory oS out over party phi Pipeline platform platforms point policy porting potential Power practices pre preventative measures prevention privileged access proactive problem process processes product products protection ps public publishing Py pypi Q R rag ransom ransomware ransomware attack ransomware attacks rate RCE ready recovery red remediation remediation efforts report reporting repository reputation research researchers resident Resil resilience resource resources review Risk risk of exploitation risks Ro RoT s safe Scale scanning SD search sec secrets secure security security awareness security breach security considerations security practices Security Research Security Researcher security researchers security risk security threat security threats sequence service service account services SHA shift side Sig size SoC software software development software supply chain source source code source Platform source repositories source software SSE SSO start STIG stolen credentials supply supply chain support system systems T taking Task team ted telemetry text the theft third third-party threat threat actor threat actors threats to tool tool development tools Tor TP trends Trends 2025 trial type UI under up update US use user user data Users uth V val Valid vulnerabilities Ware web Wi workflow x