Google Veles is a newly released open-source secret scanner, launched as part of Google’s broader OSV-SCALIBR (Software Composition Analysis LIBRary) ecosystem. Veles integrates seamlessly with other OSV-SCALIBR tools and also powers secret scanning in Google Cloud, while remaining available as a standalone module.
Veles is designed to detect unintended exposure of sensitive credentials across your organization’s internal systems. It helps you find secrets where they don’t belong, so you can prevent them from being abused.
Google will use Veles as the secret scanner for Google Cloud products, including Artifact Registry and Security Command Center (SCC). By integrating Veles into SCC, Google aims to support both shift-left and shift-right security approaches, which means scanning for secrets not only at the infrastructure level but also across Compute Engine and GKE.
Google also says their open source security team is using Veles to scan hundreds of millions of open-source artifacts. The company emphasizes that, while GitHub, GitLab, and other similar services do a great job scanning public source code, the risk of inadvertently exposing credentials extends well beyond that, for example into package registries, build artifacts, container images, and other distribution channels where secrets can accidentally leak.
Built packages and Docker images often include configuration, compiled binaries, and build scripts, all potential sources of leaked credentials. Publishing these artifacts on open-source repositories like Maven Central, PyPI, or DockerHub can expose leaked credentials to exploitation.
Google says it has already seen significant results from using Veles, successfully identifying and reporting exposed credentials such as API keys, service account keys, and OAuth client secrets across large volumes of historical artifacts.
Veles is implemented as a Go library, allowing developers to directly integrate its API and scan for secrets using the DetectionEngine class. Alternatively, you can use it through osv-scalibur, a Python package, using the osv_scalibr.scan command.
In its current release, Veles only supports Google Cloud Platform (GCP) API Keys, GCP Service Account Keys, and RubyGems API Keys. Google says Veles has been designed to make it easy to add new detector and validator types and they plan to extend the tool to include support for other secret types over time. According to Google engineers, the long-term goal is for Veles to cover hundreds or even thousands of credential types.
