Skip to content

Commit 70215de

Browse files
author
k4w_wak
committed
security: add credential patterns to .gitignore + SECURITY.md
- Adds common credential file patterns to .gitignore (*.pem, *.key, .env, credentials.json, etc.) - Adds SECURITY.md with credential handling guidance and pre-commit check instructions Refs: Google OSS VRP Issue #504158909 Closes: #5520 Reported-by: k4w_wak (k4w1992@gmail.com)
1 parent ad937fe commit 70215de

2 files changed

Lines changed: 48 additions & 0 deletions

File tree

.gitignore

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,3 +116,20 @@ CLAUDE.md
116116
.rooignore
117117
.bolt/
118118
.v0/
119+
120+
# === SECURITY: Credential patterns — added per Issue #5520 ===
121+
*.pem
122+
*.key
123+
*.p12
124+
*.pfx
125+
*.jks
126+
*.keystore
127+
*.tokencache
128+
credentials.json
129+
service-account.json
130+
.env
131+
.env.*
132+
!.env.example
133+
*.secret
134+
secrets.yaml
135+
secrets.yml

SECURITY.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
# Security Policy — Google ADK
2+
3+
## Reporting a Vulnerability
4+
5+
If you discover a security vulnerability in this repository, please report it via:
6+
7+
- Google OSS VRP: https://bughunters.google.com
8+
- Or open a GitHub Security Advisory
9+
10+
## Credential Handling
11+
12+
**NEVER** commit any of the following to this repository:
13+
14+
- OAuth access tokens (`ya29.*`)
15+
- API keys (`AIzaSy*`)
16+
- Service account JSON keys
17+
- Private keys (`.pem`, `.key`)
18+
- `.env` files with real credentials
19+
- Any form of password or secret
20+
21+
Use environment variables or a secrets manager instead.
22+
23+
## Pre-commit Checks
24+
25+
Run before committing:
26+
```bash
27+
pip install detect-secrets
28+
detect-secrets scan --all-files
29+
```
30+
31+
Reported by: @k4w1992-lgtm | Google Issue: #504158909

0 commit comments

Comments
 (0)