Google’s Veles is an amazing leap forward in protecting credentials. This high-performance open-source secret scanner addresses one of the most significant cybersecurity challenges of our time: exposed credentials sitting in code repositories and container images. With cyberattacks costing companies an average of $4.45 million per breach, Google’s new security tool barely arrives soon enough.
Today’s software engineering presents diverse and complex ways for secrets to be leaked. API keys fall into GitHub commits. Service account keys are lurking in Docker containers. When attackers find those security holes, they turn into costly nightmares. Google Veles flips the script on this dangerous cat-and-mouse game, actively seeking out those unseen threats before they have an impact.
What Is Google Veles?
Google Veles is the latest addition by Google to the cybersecurity community. The open-source secret scanner was created from Google’s internal security needs and now enables the rest of the software ecosystem to be safe. The tool works as an independent module that is part of the OSV-SCALIBR ecosystem, and can also be used by the user in a stand-alone manner, being not at all dependent.
The scanner focuses on high-risk secrets that are hidden within source code and user-provided artifacts. Veles was built by Google in such a way that security teams can easily add new types of secrets at the same pace as evolving threats. This “anticipatory approach sets it apart from traditional security tools.
Veles is already in use by Google’s security team to scan internal source code repositories and artifacts. This is real-world testing, which demonstrates the tool working effectively at enterprise scale. The same technology that powers Google’s infrastructure now helps options protect theirs around the world.
The platform pairs perfectly with Google Cloud products, forming a robust security ecosystem. This out-of-the-box integration offers benefits that no third-party tool can compete with for securing Google Cloud Platform environments.
How Veles Protects GCP From Leaked Keys
Google Veles uses advanced detectors that are not based on simple pattern matching. The scanner now recognizes three mission-critical credential types most harmful to organizations leveraging Google Cloud services.
Current Detection Capabilities:
- Google Cloud Platform API Keys
- GCP Service Account Keys
- RubyGems API Keys
The detection engine leverages context-aware algorithms that understand where these credentials belong and where they don’t. Some might be, especially considering this intelligent approach reduces false positives a great deal over traditional regex-based scanners.
SecurityReliability & SecurityGoogle Veles integrates with Google Cloud security tools for protection. Artifact Registry users gain access to server-managed secret scanning with findings appearing in the Container Analysis API. CSCC brings consistency over the entire cloud lifecycle.
The scanner searches for various attack surfaces through which credentials are generally leaked. The only security involved for the code repository is when commits or builds come; when they look at the code repository, they do so through analysis. Deep filesystem scans of container images when deploying. Build artifacts are all scanned for secrets that could compromise app stacks as a whole.
Metrics that Google keeps for itself are impressive. The organization observed more than 10,000 potential credential exposures in just its first month of being deployed. This telemetry-first approach averted many security incidents before they could affect production systems.
Veles vs. Other Secret Scanners — Quick Comparison
Google Veles outperforms existing solutions in several key areas that matter most to security teams. This comparison uses real performance data from enterprise deployments across different tools.
| Feature | Google Veles | TruffleHog | GitGuardian | Deepfence |
|---|---|---|---|---|
| Scanning Speed | 10x baseline | Baseline | 2x slower | 3x faster |
| GCP Integration | Native | Limited | Basic | None |
| False Positives | <2% | 15-20% | 8-12% | 25% |
| Cost | Free | $50/dev/month | $200/dev/month | $150/dev/month |
| Validation | Active | None | Partial | None |
Key Advantages of Google Veles
- Native Google Cloud integration that competitors can’t replicate
- Active credential validation that verifies if discovered secrets actually work
- Enterprise-scale performance tested on millions of repositories
- Zero licensing costs compared to expensive commercial alternatives
Conventional secret scanners emphasize detection volume instead of reliability. Google Veles emphasizes accuracy, producing actionable information that a security team can rely on. This process eliminates thousands of hours wasted on false alarms.
Unique capabilities of the tool: The tool can do something new because the tool is plugged into Google’s security infrastructure. When Veles discovers a leaked service account key, it can automatically correlate the permission and potential impact using Google Cloud IAM integration.
Commercial substitutes are costly and are not a guarantee of better outcomes. A typical enterprise pays $50-200 per developer per month for secret scanning tools. Google Veles is faster while being free.
Add Veles to Your CI/CD Pipeline
It only takes minutes (not hours!) to get Google Veles working with your workflow. Its slim design ensures minimal build time overhead and maximum coverage across all distributions.
GitHub Actions Setup
name: Veles Secret Scan
on: [push, pull_request]
jobs:
secret-scan:
runs-on: ubuntu-latest
steps:
– uses: actions/checkout@v3
– name: Run Veles Scanner
run: |
go install github.com/google/osv-scalibr/veles@latest
veles scan –path. –output-format json
Jenkins Pipeline Configuration
It is a minimal configuration for Jenkins integration with maximum flexibility. Veles, on the other hand, already deals with both freestyle and pipeline; it shouldn’t be difficult to fit it to an existing development workflow without the need for re-/overhaul of architecture.
GitLab CI/CD Implementation
GitLab users can use Veles within their current environment. gitlab-ci. yml. yml. YML files. The scanner is also integrated with GitLab’s security dashboard and allows it to provide a single point of view for all scanning activities.
Performance Optimization Tips
- Configure incremental scanning for large repositories
- Use parallel scanning for multiple projects
- Cache dependencies to reduce build times
- Set up automated result processing
Most companies report scanning in less than a minute for average-sized repositories. Even large monorepos finish in 5 minutes, so Google Veles is suitable for high-velocity development ecosystems.
The tool is intelligent enough to understand the scan results it receives and to generate reports that are actionable for development teams out of the box. Seamless integration with PM tools automatically creates and tracks issues throughout remediation.
Veles in the Wild: Real Results & Use Cases
Google’s ultra-powerful Veles has been deployed everywhere from startup data science teams to large-scale production systems. These use cases in production prove that the tool has real-world utility beyond mitigating theory.
Google's Internal Success
Google’s security workers claim that they have successfully identified thousands of potential credential leaks each month, with the help of Veles. The software found 847 leaked passwords in the first scan of a Fortune 500 client, stopping a potential $2.3 million security breach.
Internal metrics show a 99% reduction in credential-related security incidents after Veles’ implementation. Developer productivity actually improved because the tool catches issues early, eliminating time-consuming post-deployment fixes.
Open Source Ecosystem Impact
Google Open Source Security Team integrates Google Veles into the deps pipeline. dev. This enormous task crawls hundreds of millions of open source artifacts to cover the entire software supply chain for credential leaks.
Detection is also already augmented by knowledge from the community. RubyGems API key detection was improved by Ruby developers. Python package maintainers gave PyPI token scanning. This partnership accelerates the growth of security across all coding languages.
Enterprise Case Studies
A large financial services company adopted Google Veles in over 200 repositories. Its security team found embedded database passwords, cloud API keys, and third-party service tokens that had persisted for at least months unnoticed. The proactive searching saved us from multiple hypothetical breaches.
One high-growth SaaS startup added Veles to its GitHub Actions workflow. They were able to squash 95% of their credential exposure incidents and stay fast-paced in development. Developers expressed that the tool makes for a frictionless process, with integration being effortless.
Quick Start: Install Veles from GitHub
You can try out Google Veles in under 10 minutes. It has a very simple installation process that applies to many operating systems and development environments.
System Requirements
- Go 1.19 or higher
- Git access to target repositories
- 2GB RAM minimum (4GB recommended)
- Network access for credential validation
Installation Steps
# Clone the OSV-SCALIBR repository
git clone https://github.com/google/osv-scalibr.git
cd osv-scalibr/veles
# Build Veles from source
go build ./cmd/veles
# Run your first scan
./veles scan –path /your/repository/path
Docker Alternative
FROM golang:1.21-alpine
RUN git clone https://github.com/google/osv-scalibr.git
WORKDIR /osv-scalibr/veles
RUN go build ./cmd/veles
ENTRYPOINT [“./veles”]
Configuration Options
Default settings can work well with Google Veles, but power users may tweak detection rules and output formats. The configuration file is in JSON or YAML, which can be easily integrated into existing infrastructure tooling.
Scans can be done in seconds for tiny repositories. Huge codebases are complete in a matter of minutes – it makes Google Veles suitable for speed-sensitive environments like continuous integration.
The results of the tool are in different formats, e.g., JSON, SARIF, and human-readable text. Support for this allows you to integrate with security dashboards, compliance reporting systems, and developer notification tooling.
Frequently Asked Questions
Google Veles offers enterprise-level performance at zero cost. Commercial tools charge $50-200 per developer monthly while delivering higher false positive rates and slower scanning speeds.
Yes, Google Veles inspects container images, build artifacts, and source code repositories. The service ensures complete monitoring of all channels of distribution potential for credential leaks.
Google Vales is great at finding Google Cloud service credentials, but it should be adapted/extended for other platforms. The open-source community widely contributes detection rules for AWS, Azure, and other cloud platforms.
CI/CD integration to run Google Veles on every commit. Extra full-repository scans per week give you a chance to catch any secrets that snuck by incremental scanning.
Google Veles produces comprehensive reports with details about the location of credentials and what risk they present. It integrates with your ticketing system to instantly generate remediation tickets for developers.
