GCP service account private key
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Google Cloud service account JSON embeds an inline private_key PEM block. Anyone with this file can impersonate the service account.
Why it matters
A Google Cloud service account JSON file contains an inline private key that lets anyone holding it authenticate as that service account. Depending on the account roles, that can mean full read/write on your GCP project. The key does not expire on its own, so an old leak stays usable for years.
How to fix it
Remove the service account JSON from the repo and load credentials another way: workload identity on GKE/Cloud Run, application default credentials, or a mounted secret outside the repo. Disable the leaked key in the IAM service accounts console and generate a new one if still needed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo