Summary
During a security audit of the Google ADK repository (as part of Google OSS VRP), a hardcoded Google OAuth access token (format ya29.*) was discovered in the repository at tests/unittests/plugins/test_bigquery_agent_analytics_plugin.py.
The token has since been redacted from the current codebase, but it existed in the git history and was publicly accessible.
Impact
- Exposure of a valid Google OAuth access token
- Potential unauthorized API access if token was not immediately revoked
- Violates Google's own security best practices for credential handling
Reporter
Recommended Fix
- Add
.gitignore rules for common credential patterns
- Add a
SECURITY.md with guidance on avoiding hardcoded credentials
- Implement pre-commit hooks to scan for secrets before commits
I will submit a PR with these changes shortly.
Summary
During a security audit of the Google ADK repository (as part of Google OSS VRP), a hardcoded Google OAuth access token (format
ya29.*) was discovered in the repository attests/unittests/plugins/test_bigquery_agent_analytics_plugin.py.The token has since been redacted from the current codebase, but it existed in the git history and was publicly accessible.
Impact
Reporter
Recommended Fix
.gitignorerules for common credential patternsSECURITY.mdwith guidance on avoiding hardcoded credentialsI will submit a PR with these changes shortly.