Let’s be real, leaked credentials are one of the biggest security risks in modern software development. A single API key, token, or password in the wrong place can expose entire systems. Google knows this. And now, it’s doing something about it.
The search giant has introduced a new open-source tool called Veles. It’s a secret scanner built to detect exposed credentials in code, containers, and other artifacts before they become a problem.
Veles is part of Google’s broader OSV-SCALIBR ecosystem, but it doesn’t require the whole framework. You can run it as a standalone tool or integrate it into your existing pipeline. At launch, it can detect things like Google Cloud API keys, GCP service account tokens, and RubyGems API keys.
Thankfully, more secret types will be supported over time. Google says Veles is designed to grow with your needs.
This isn’t just theory either. Google is already using Veles internally. It’s scanning the company’s own repositories and internal systems to catch credentials before they leak. That real-world testing gives it some credibility.
Veles is also being used in the open-source space. Google’s Open Source Security Team has added it to the pipeline behind deps.dev. That system scans hundreds of millions of packages, images, and repos to detect secrets hiding in plain sight.
The scanner is also making its way into Google Cloud. It will be used to power secret detection in Artifact Registry, with results available via the Container Analysis API. Those findings will eventually show up in the Artifact Registry UI too.
Security Command Center is also getting in on the action. Veles will help SCC scan both code and runtime environments like GKE and Compute Engine. That means secrets can be caught during development and after deployment. SCC will then organize the findings to help teams figure out what’s critical and what’s not.
Looking ahead, Google has some big plans for Veles. The team wants to add automated validation so it can tell whether a leaked secret is still active. Even more interesting, they want to eventually automate the revocation process. So if a secret is confirmed to be live, you could disable it right away.
You don’t need to wait, though. Veles is already open-source and available on GitHub. You can use it to scan your codebase, containers, or whatever else you want to keep clean.
In a world where one small mistake can lead to a massive security incident, tools like Veles offer a chance to catch the problem before it spreads.
The GitHub repo is here: github.com/google/osv-scalibr/tree/main/veles
