Will It Vibe logoWill It Vibe?
ENVCFG-018Critical severity-25 points

Cloud service-account key JSON committed

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

A JSON file with "type": "service_account" and a "private_key" is a GCP service-account key. Committing it hands over the identity and every permission it holds until the key is revoked in the cloud console.

Why it matters

A GCP service-account key JSON (type service_account with a private_key) grants the full identity and permissions of that service account to anyone who has the file. Committed, it is scraped and reused to access whatever the account can reach in your cloud project. It stays valid until the key is revoked in the console.

How to fix it

Remove the key file from the repo and gitignore the pattern. Prefer keyless auth (workload identity or attached service accounts) so no key file exists; where a key is unavoidable, load it from a secret manager. Disable and delete the exposed key in the Google Cloud console and issue a new one if still needed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks