You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A real Google service-account private key is committed to the repository, and the
build copies it into source directories. Both were flagged by Codex on #190 (the "require Docker for
the emulator tests" PR). They are pre-existing — not introduced by that PR — so they
are tracked here separately to keep #190 focused.
Findings
P1 (high) — committed service-account private key
spine-dev.json holds a live private key for datastore-testing@spine-dev.iam.gserviceaccount.com, committed at the repo root and
duplicated under several modules' src/test/resources/. Anyone with repository access can
authenticate as that identity, and the key remains exposed in git history even if the
files are deleted.
P2 (medium) — credentials copied into source directories
The copyCredentials Gradle task (build.gradle.kts) copies the root spine-dev.json into
each module's src/test/resources/ — a source directory — instead of Gradle's generated build/ resources area. This leaves secret material as working-tree changes in every module
and makes accidental commits likely. (.gitignore already ignores spine-dev-*.json as a
partial guard, but the canonical spine-dev.json copies are tracked.)
Location: the copyCredentials task in build.gradle.kts.
Recommended remediation
Rotate/revoke the datastore-testing@spine-dev.iam.gserviceaccount.com key in GCP —
it must be treated as compromised. (Owner action.)
Stop committing the key: remove spine-dev.json from the repo root and from every src/test/resources/. CI already decrypts the key from the SPINE_DEV_CI_KEY secret
(see build-on-ubuntu-gcloud.yml); provide it for local runs the same way — decrypt to a build/ or otherwise untracked location.
Change copyCredentials to write into a build/ test-resources directory (on the
test classpath) rather than src/test/resources, so the secret never lands in a source
tree.
Purge the key from git history (e.g. git filter-repo / BFG) once the above lands —
deletion alone leaves it recoverable in history. (Coordinated history rewrite.)
The same private key appeared this session as a stray spine-dev-62685282c0b9.json
(the Cloud Console's default download name), which is why .gitignore now ignores spine-dev-*.json.
Summary
A real Google service-account private key is committed to the repository, and the
build copies it into source directories. Both were flagged by Codex on
#190 (the "require Docker for
the emulator tests" PR). They are pre-existing — not introduced by that PR — so they
are tracked here separately to keep #190 focused.
Findings
P1 (high) — committed service-account private key
spine-dev.jsonholds a live private key fordatastore-testing@spine-dev.iam.gserviceaccount.com, committed at the repo root andduplicated under several modules'
src/test/resources/. Anyone with repository access canauthenticate as that identity, and the key remains exposed in git history even if the
files are deleted.
P2 (medium) — credentials copied into source directories
The
copyCredentialsGradle task (build.gradle.kts) copies the rootspine-dev.jsonintoeach module's
src/test/resources/— a source directory — instead of Gradle's generatedbuild/resources area. This leaves secret material as working-tree changes in every moduleand makes accidental commits likely. (
.gitignorealready ignoresspine-dev-*.jsonas apartial guard, but the canonical
spine-dev.jsoncopies are tracked.)copyCredentialstask inbuild.gradle.kts.Recommended remediation
datastore-testing@spine-dev.iam.gserviceaccount.comkey in GCP —it must be treated as compromised. (Owner action.)
spine-dev.jsonfrom the repo root and from everysrc/test/resources/. CI already decrypts the key from theSPINE_DEV_CI_KEYsecret(see
build-on-ubuntu-gcloud.yml); provide it for local runs the same way — decrypt to abuild/or otherwise untracked location.copyCredentialsto write into abuild/test-resources directory (on thetest classpath) rather than
src/test/resources, so the secret never lands in a sourcetree.
git filter-repo/ BFG) once the above lands —deletion alone leaves it recoverable in history. (Coordinated history rewrite.)
Notes
credential-hygiene concern.
spine-dev-62685282c0b9.json(the Cloud Console's default download name), which is why
.gitignorenow ignoresspine-dev-*.json.