Skip to content

security: add credential patterns to .gitignore + SECURITY.md#5521

Open
k4w1992-lgtm wants to merge 1 commit intogoogle:mainfrom
k4w1992-lgtm:main
Open

security: add credential patterns to .gitignore + SECURITY.md#5521
k4w1992-lgtm wants to merge 1 commit intogoogle:mainfrom
k4w1992-lgtm:main

Conversation

@k4w1992-lgtm
Copy link
Copy Markdown

@k4w1992-lgtm k4w1992-lgtm commented Apr 28, 2026
edited
Loading

Summary

This PR adds security hardening to prevent future credential leaks, following the discovery of a hardcoded OAuth token in the repository (Google OSS VRP Issue #504158909).

Changes

  • .gitignore: Added common credential file patterns (*.pem, *.key, .env, credentials.json, etc.)
  • SECURITY.md: New security policy with credential handling guidance and pre-commit check instructions

Why

A Google OAuth access token was previously committed to this repository. While it has since been redacted, this PR prevents similar incidents by:

  1. Blocking credential files from being accidentally committed
  2. Providing clear guidance on how to handle credentials
  3. Documenting the pre-commit secret scanning workflow

Testing Plan

  • Verified .gitignore patterns block credential files: echo "test" > test.pem && git add test.pem → file is ignored
  • Verified .env files are ignored: echo "KEY=val" > .env && git add .env → file is ignored
  • Verified credentials.json pattern matches: echo "{}" > credentials.json && git add credentials.json → file is ignored
  • Verified non-credential files still tracked: echo "code" > main.py && git add main.py → file is tracked normally
  • Verified SECURITY.md renders correctly in GitHub markdown preview
  • No functional code changes — only .gitignore (ignore rules) and SECURITY.md (documentation) modified
  • Existing test suite unaffected (no source code changes)

Related

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 28, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@adk-bot adk-bot added the tools [Component] This issue is related to tools label Apr 28, 2026
@adk-bot
Copy link
Copy Markdown
Collaborator

adk-bot commented Apr 28, 2026

Response from ADK Triaging Agent

Hello @k4w1992-lgtm, thank you for your contribution!

To help us review your PR, could you please add a testing plan section to your PR description explaining how you've tested these changes?

Additionally, it looks like the Contributor License Agreement (CLA) check has failed. Please ensure you have signed the CLA, which is a requirement for us to accept your contribution. You can find more information in the "Details" link of the cla/google check at the bottom of the pull request.

Thank you!

@k4w1992-lgtm
Copy link
Copy Markdown
Author

k4w1992-lgtm commented Apr 28, 2026

I have signed the CLA

@k4w1992-lgtm
security: add credential patterns to .gitignore + SECURITY.md
3ac4056 
- Adds common credential file patterns to .gitignore
  (*.pem, *.key, .env, credentials.json, etc.)
- Adds SECURITY.md with credential handling guidance
  and pre-commit check instructions

Refs: Google OSS VRP Issue #504158909
Closes: google#5520
Reported-by: k4w_wak (k4w1992@gmail.com)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

tools [Component] This issue is related to tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k4w1992-lgtm @adk-bot