Security: Exposed credentials detected in this repository #4
Description
Leaked Credentials Detected
Hi there! While reviewing public repositories submitted to the Gemini Live Agent Challenge, we ran an automated security scan and found exposed credentials in this repo.
This repository contains high-severity leaked credentials (private-key). These credentials may grant access to external services and should be revoked immediately.
What was found
| File | Credential Type |
|---|---|
backend/src/config/firebase.ts |
private-key |
Committed .env files:
backend/.env.test
Recommended actions
- Revoke and rotate all exposed credentials immediately
- For Google/GCP API keys: Google Cloud Console → APIs & Services → Credentials
- For other services: check the respective provider's dashboard
- Remove secrets from code — use environment variables or a secrets manager instead
- Add
.envto.gitignoreto prevent future commits of secret files - Scrub git history — even after deleting the file, secrets remain in git history. Use git-filter-repo or BFG Repo-Cleaner to remove them
- Consider using Google Secret Manager for production deployments
About this scan
This issue was created as part of a responsible disclosure effort after scanning public hackathon submissions. No credentials were used or exploited — only a read-only API endpoint was called to check if keys were active. The actual secret values are not included in this issue.
If you believe this is a false positive, feel free to close this issue.