From 3ac40564ad9266772925e901ffb6b5ad276cf4bc Mon Sep 17 00:00:00 2001 From: k4w1992-lgtm Date: Wed, 29 Apr 2026 19:08:15 -0700 Subject: [PATCH] security: add credential patterns to .gitignore + SECURITY.md - Adds common credential file patterns to .gitignore (*.pem, *.key, .env, credentials.json, etc.) - Adds SECURITY.md with credential handling guidance and pre-commit check instructions Refs: Google OSS VRP Issue #504158909 Closes: #5520 Reported-by: k4w_wak (k4w1992@gmail.com) --- .gitignore | 17 +++++++++++++++++ SECURITY.md | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 SECURITY.md diff --git a/.gitignore b/.gitignore index 47f633c5c5..52ec21af7c 100644 --- a/.gitignore +++ b/.gitignore @@ -116,3 +116,20 @@ CLAUDE.md .rooignore .bolt/ .v0/ + +# === SECURITY: Credential patterns — added per Issue #5520 === +*.pem +*.key +*.p12 +*.pfx +*.jks +*.keystore +*.tokencache +credentials.json +service-account.json +.env +.env.* +!.env.example +*.secret +secrets.yaml +secrets.yml diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..ea13bcf8f6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy — Google ADK + +## Reporting a Vulnerability + +If you discover a security vulnerability in this repository, please report it via: + +- Google OSS VRP: https://bughunters.google.com +- Or open a GitHub Security Advisory + +## Credential Handling + +**NEVER** commit any of the following to this repository: + +- OAuth access tokens (`ya29.*`) +- API keys (`AIzaSy*`) +- Service account JSON keys +- Private keys (`.pem`, `.key`) +- `.env` files with real credentials +- Any form of password or secret + +Use environment variables or a secrets manager instead. + +## Pre-commit Checks + +Run before committing: +```bash +pip install detect-secrets +detect-secrets scan --all-files +``` + +Reported by: @k4w1992-lgtm | Google Issue: #504158909