Stop Leaked Credentials in Their Tracks with Veles, Our New Open-Source Secret Scanner
byIn today's complex software supply chain, a single leaked credential—an API key, a service account token, a password—can be all an attacker needs to breach your systems. These secrets can be accidentally committed to a source code repository, embedded in a container image, or attached to a support ticket, creating a critical and often invisible risk.
To help developers and security teams proactively find and fix these exposures, we are excited to announce Veles, a new open-source secret and credential scanner from Google.
Veles is designed to detect unintended exposure of sensitive credentials across your organization's internal systems. It helps you find secrets where they don't belong, so you can prevent them from being abused.
Why Veles? Key Features
Veles is a new, standalone module within our OSV-SCALIBR (Software Composition Analysis LIBRary) ecosystem, but it is built to be used independently. This means you can easily integrate it into your existing security tooling or use it as a standalone scanner.
In its initial release, Veles helps you find high-risk secrets in source code and user-provided artifacts. Our detection library currently identifies:
- Google Cloud Platform (GCP) API Keys
- GCP Service Account Keys
- RubyGems API Keys
This is just the beginning. Veles is built to be extensible, allowing for the rapid addition of new secret types.
Battle-Tested at Google: Powerful Real-World Integration
At Google, we're not just releasing Veles; we're actively using it to protect our own systems and the open-source ecosystem.
- Internal Protection: Veles is already scanning Google's internal source code repositories and artifacts, helping us find and remediate leaked secrets before they become a problem.
- Securing the Open Source Ecosystem: The Google Open Source Security Team is incorporating Veles into its pipeline that powers deps.dev, scanning hundreds of millions of open-source artifacts (packages, Docker images, and repositories) to detect and remediate leaked credentials across the community.
- Integration with Google Cloud Products: Veles is being integrated directly into Google Cloud security services to bring secret scanning to our customers:
- Artifact Analysis & Artifact Registry: Veles will power secret scanning in Artifact Registry, with findings surfaced through the Container Analysis API and, eventually, in the Artifact Registry UI.
- Security Command Center (SCC): SCC's integration will provide comprehensive secret detection across the entire cloud lifecycle. This means scanning "left" into the development pipeline (like Infrastructure as Code) and "right" into active runtime environments (like Compute Engine and GKE). SCC will then unify these findings, helping you prioritize the most critical exposures and visualize potential attack paths.
The Road Ahead: What's Next for Veles?
This first release is a foundational step. Our roadmap for Veles includes:
- Broader Detection: We will continuously expand the library of supported secret and credential types.
- Automated Validation: We plan to add functionality to intelligently validate if a discovered secret is active.
- Remediation Workflows: In the future, we aim to help automate the revocation of confirmed, leaked secrets.
Get Started with Veles Today
Veles is open-source and ready for you to use. You can integrate it into your CI/CD pipeline, run it against your existing repositories, or contribute to its development. Protecting your organization from leaked credentials is a critical part of a strong security posture, and Veles is here to help.
Ready to start scanning? Head over to the Veles GitHub repository to get started!
