Google has released Veles, a lightweight, open-source secret scanning module designed to catch sensitive credential exposure, particularly in GCP environments. It integrates directly with the OSV-SCALIBR (Software Composition Analysis and License-Based Risk) platform and currently targets Google Cloud API keys, service account credentials, and RubyGems keys.
Veles stands out not because it’s another scanner, but because it’s purpose-built to support structured ecosystem integration inside Google’s dependency and package scanning pipelines. That makes it an efficient drop-in for any DevSecOps pipeline already using OSV-SCALIBR or deps.dev.
Key Features
- Detects Google API keys, service account keys, and RubyGems tokens
- Fast scanning with low system overhead
- Fully open source with permissive licensing
- Integrates with Google Cloud tooling like
deps.devand CI/CD pipelines
Installation & Usage
Veles is currently embedded as a module in the OSV-SCALIBR ecosystem. To use it, you need to clone the repo and enable the scanner in your pipeline or project analysis:
git clone https://github.com/google/osv-scalibr.git cd osv-scalibr # Run Veles scan python3 -m osv_scalibr.scan --secrets your_project_path/ |
The expected output includes flagged credentials with their associated context, filename, and token type.
Why It Matters
Most dev teams already rely on secret scanning tools like Gitleaks or detect-secrets. What sets Veles apart is its tight alignment with Google’s internal tools and the GCP ecosystem. It complements Google’s larger efforts around software supply chain security by making it easier to catch credential leaks earlier in the build process, before they reach production or source control.
It’s also a good example of security tooling built specifically with ecosystem context in mind, instead of relying on bloated, general-purpose regex bundles that produce false positives.
Red Team & Blue Team Relevance
From a red team perspective, tools like Veles signal how mature defenders are integrating automated credential scanning at the infrastructure level — meaning attackers are less likely to get away with plaintext secrets in open repos.
For blue teams and developers, Veles is another piece in the shift-left pipeline, moving security earlier in the development cycle and avoiding GCP credential exposure that can result in complete compromise or massive cloud bills from misused services.
Limitations
- Currently limited to GCP and RubyGems secrets.
- No support (yet) for broader cloud providers or generic secrets like JWTs or SSH keys.
- No default runtime watchdog or Git hooks (yet).
That said, it’s early days — and Veles appears to be gaining internal adoption at Google, so we expect wider support to follow soon.
You can read more or enable Veles via OSV-SCALIBR here: https://github.com/google/osv-scalibr