Stop Leaked Credentials in Their Tracks with Veles, Our New Open-Source Secret Scanner

by Kevin Dungs, Charl de Nysschen & Sarah Lucas, Google

In today's complex software supply chain, a single leaked credential—an API key, a service account token, a password—can be all an attacker needs to breach your systems. These secrets can be accidentally committed to a source code repository, embedded in a container image, or attached to a support ticket, creating a critical and often invisible risk.

To help developers and security teams proactively find and fix these exposures, we are excited to announce Veles, a new open-source secret and credential scanner from Google.

Veles is designed to detect unintended exposure of sensitive credentials across your organization's internal systems. It helps you find secrets where they don't belong, so you can prevent them from being abused.

Why Veles? Key Features

Veles is a new, standalone module within our OSV-SCALIBR (Software Composition Analysis LIBRary) ecosystem, but it is built to be used independently. This means you can easily integrate it into your existing security tooling or use it as a standalone scanner.

In its initial release, Veles helps you find high-risk secrets in source code and user-provided artifacts. Our detection library currently identifies:

• Google Cloud Platform (GCP) API Keys
• GCP Service Account Keys
• RubyGems API Keys

This is just the beginning. Veles is built to be extensible, allowing for the rapid addition of new secret types.

Battle-Tested at Google: Powerful Real-World Integration

At Google, we're not just releasing Veles; we're actively using it to protect our own systems and the open-source ecosystem.

• Internal Protection: Veles is already scanning Google's internal source code repositories and artifacts, helping us find and remediate leaked secrets before they become a problem.
• Securing the Open Source Ecosystem: The Google Open Source Security Team is incorporating Veles into its pipeline that powers deps.dev, scanning hundreds of millions of open-source artifacts (packages, Docker images, and repositories) to detect and remediate leaked credentials across the community.
• Integration with Google Cloud Products: Veles is being integrated directly into Google Cloud security services to bring secret scanning to our customers:
  • Artifact Analysis & Artifact Registry: Veles will power secret scanning in Artifact Registry, with findings surfaced through the Container Analysis API and, eventually, in the Artifact Registry UI.
  • Security Command Center (SCC): SCC's integration will provide comprehensive secret detection across the entire cloud lifecycle. This means scanning "left" into the development pipeline (like Infrastructure as Code) and "right" into active runtime environments (like Compute Engine and GKE). SCC will then unify these findings, helping you prioritize the most critical exposures and visualize potential attack paths.

The Road Ahead: What's Next for Veles?

This first release is a foundational step. Our roadmap for Veles includes:

• Broader Detection: We will continuously expand the library of supported secret and credential types.
• Automated Validation: We plan to add functionality to intelligently validate if a discovered secret is active.
• Remediation Workflows: In the future, we aim to help automate the revocation of confirmed, leaked secrets.

Get Started with Veles Today

Veles is open-source and ready for you to use. You can integrate it into your CI/CD pipeline, run it against your existing repositories, or contribute to its development. Protecting your organization from leaked credentials is a critical part of a strong security posture, and Veles is here to help.

Ready to start scanning? Head over to the Veles GitHub repository to get started!

This Week in Open Source #4

This Week in Open Source for July 18, 2025

A look around the world of open source
by Daryl Ducharme & amanda casari, Google Open Source Programs Office

Getting into the middle of July, we've been reading lots of various articles. Here's the upcoming events and some of our favorites.

Upcoming Events

• July 24-29: GUADEC 2025, the Gnome community's largest conference is in Brescia, Italy.
• July 31-August 3: FOSSY (Free and Open Source Software Yearly) will be held in Portland, Oregon and is focused on the creation and impact of free and open source software, uplifting contributors of all experience.
• August 14-16: Open Source Festival 2025 (OSCAFest'25) is happening in Lagos, Nigeria. It uses community to help integrate the act of open source contribution to African developers whilst strongly advocating the movement of free and open source software.

Open Source Reads and Links

• [Article] Open Source at the Crossroads of AI Opportunity and Cybersecurity Necessity - A follow up to many of the events from Open Source Summit North America with much discussion around AI's impact on labor and cybersecurity.
• [Paper] A Toolkit For Measuring The Impacts Of Public Funding On Open Source Software Development - Funding in the open source world is complex. This toolkit seeks to inform discussions about the value of public funding for OSS.
• [Release Notes] Mastodon 4.4 - The open source microblogging platform has had another release milestone. Check out enhancements like: Featured posts & tags, improved list management, media control improvements (run a podcast from a mastodon account!), quote posts are coming, and more.
• [Articles] Digital sovereignty leads to multiple governments, from local to national, choosing to move from proprietary software to open source options. For examples Denmark Set to Replace Microsoft Office with Open Source Alternative and the French City of Lyon Kicks Out Microsoft and Data Sovereignty in Uncertain Times discussing how you should look at all your cloud provider options.

What exciting open source events and news are you hearing about? Let us know on our @GoogleOSS X account.

Unlocking High-Performance AI/ML in Kubernetes with DRANet and RDMA

DraNet Enters Beta! High-Performance Networking in Kubernetes

by Antonio Ojea & Federico Bongiovanni, Kubernetes/GKE

We are excited to announce that DraNet has officially entered a beta state! This marks a major leap forward in our mission to streamline and enhance high-performance networking for AI and HPC workloads within Kubernetes. As we progress towards a stable General Availability (GA) release, we are eager to gather your feedback on the current state of the project.

Why DraNet?

DraNet was born from the lessons we learned at Google, observing the challenges end-users faced when running AI and HPC workloads on Kubernetes. The existing networking solutions, often repurposed from traditional networking or bespoke and complex, fell short of providing a good user experience and efficient operational models.
For instance, managing RDMA (Remote Direct Memory Access) interfaces often involved a complex combination of CNI chaining and device plugins. This not only created an unnecessary operational overhead for administrators but also led to coordination issues between different components that needed to work in harmony impacting resilience and scalability.
Another significant pain point we identified was the need for fine-grained interface tuning. AI workloads, for example, are extremely sensitive to latency. The presence of some eBPF programs on network interfaces, or the need to configure specific NIC parameters, could severely impact performance latency and/or throughput. Users were often forced to create custom init containers just to apply these settings, adding another layer of complexity.

Introducing DraNet: A Native and Declarative Solution

DraNet is a native integration with Kubernetes that uses the core Dynamic Resource Allocation (DRA) API to address these challenges by treating high-performance network interfaces as first-class citizens in Kubernetes. Here's how:

• Simplified RDMA Management: DraNet manages RDMA interfaces natively, handling the different requirements to offer a unified and seamless user experience. No more need for coordinating different components.
• Declarative Interface Tuning: With DraNet, you can declaratively set interface properties. Need to disable eBPF programs to reduce packet processing overhead or set specific NIC parameters? You can now do this directly in your Kubernetes manifests, eliminating the need for custom scripts or init containers.
• Standalone and Secure: DraNet is designed as a standalone binary, allowing it to run in a distroless container. This significantly reduces the attack surface and the frequency of security-related updates for the container image. By interacting directly with the kernel via stable APIs like netlink, it avoids dependencies on third-party projects, improving both resilience and performance.
• Lightweight and Fast: The DraNet container image, with a compressed size of less than 50MB, has a direct impact on node startup times, allowing for faster deployment and scaling of your workloads.

Beta Release and the Road to GA

DraNet is now in a beta state, signifying that it is ready for broader community testing and feedback. This move to beta is aligned with the maturation of the Kubernetes Dynamic Resource Allocation (DRA) KEP (KEP-4381), a foundational technology for DraNet. We are continuing our active development as we work towards a future General Availability release.

We Welcome Your Feedback and Contributions!

DraNet is an open-source project, and we believe that community involvement is key to its success. As we work towards our GA release, we welcome your feedback, whether it's on the design, user experience, or performance.
You can contribute in many ways:

• Code contributions: We have a fast-paced development cycle and welcome new contributors. Check out our contributing guidelines to get started.
• Documentation: Help us improve our documentation to make it easier for new users to get started with DraNet.
• Share your opinion: Your feedback is invaluable. Let us know how you are using DraNet and what we can do to make it better.

To learn more about DraNet and get started, please visit https://dranet.dev/. We look forward to building the future of high-performance networking in Kubernetes with you!

This Week in Open Source #3

This Week in Open Source for July 11, 2025

A look around the world of open source
by Daryl Ducharme, Erin McKean & amanda casari, Google Open Source Programs Office

We took a break as there was a holiday in the US that shortened our work week, but we are back to share what our open source world has to offer.

Upcoming Events

• July 14-19: The 26th annual Debian Conference (DebConf) for Debian contributors and users interested in improving Debian is in Brest, France.
• July 24-29: GUADEC 2025, the Gnome community's largest conference is in Brescia, Italy.
• July 31-August 3: FOSSY (Free and Open Source Software Yearly) will be held in Portland, Oregon and is focused on the creation and impact of free and open source software, uplifting contributors of all experience.

Open Source Reads and Links

• [Article] libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden - Solo maintainer of small project won't embargo security vulnerabilities any more; will just treat them like regular bugs. This might bring up security concerns for those that use it but it highlights the need for more contributions required for important work.
• [Podcast] Managing community contributors with Alya Abbott - In this episode of The Business of Open Source podcast the COO of Zulip discusses the management of community contributions, including their downsides.
• [Blog] Towards Digital Sovereignty: Decisions About Control We Make Every Day - Digital sovereignty. What is it? Where did it come from? And how might we best think about it based on our personal or company needs?
• [Report] The Python Software Foundation 2024 Annual Impact Report - PSF has released their annual organization report for community accountability, transparency, and discussion.
• [Mailing List message] What's Next? - This mailing list message shows new life in the development of the copyleft-next license.
• [Blog] Command line magic: Extracting links with awk, grep, and tr - Sometimes it's nice to be reminded of the tools we have at our disposal and how we can use them to make everyday tasks easier. This article from an ATO contributor shows some tips and tricks for a little command line magic that we may have forgotten about (or never thought of).

What exciting open source events and news are you hearing about? Let us know on our @GoogleOSS X account.

This Week in Open Source #2

This Week in Open Source for June 27, 2025

A look around the world of open source
By Daryl Ducharme & amanda casari - Google Open Source Programs Office

With Open Source Summit North America (OSSNA) this week, it has been an exciting week.

OSSNA Keynote Announcements and more you may have missed

• Google transfers Agent 2 Agent (A2A) protocol to the Linux Foundation.
• Model Signing v1.0 was released by OpenSSF in April.
• Nvidia shipped over 1 Billion RISC-V cores in 2024.
• Overture Maps Foundation now has over 1 billion points of interest.
• Tazama - Open source software to provide realtime prevention of financial fraud. Especially useful in developing areas.
• Cloudflare now supports C2PA - With our current technology, content provenance assurances are more important than ever.
• CNCF launched GitJobs.
• Fair Package Manager Project for Wordpress provides open source content management system stability.

Upcoming Events

• July 7-13: The 24th annual SciPy conference will be held in Tacoma, Washington. It brings together attendees from industry, academia, and government to showcase their latest Python projects, learn from skilled users and developers, and collaborate on code development.
• July 8-9: The Beam Summit is happening in New York City. It is the leading conference for Apache Beam, the unified programming model for batch and stream data processing.
• July 14-19: The 26th annual Debian Conference (DebConf) for Debian contributors and users interested in improving Debian is in Brest, France.
• July 24-29: GUADEC 2025, the Gnome community's largest conference is in Brescia, Italy.

Open Source Reads and Links

• Everything Open Source - Open Source Events - Everything Open Source does many things in and for open source - maintaining a community list of events for the past three years is just one of them.
• Keeping the Web Up Under the Weight of AI Crawlers - Interesting explanation of robots.txt open protocol and how the open web is being challenged by needed updates/changes from AI crawlers.
• A Family of Forks - Daniel Stenberg, lead maintainer of curl, describes the work required to keep curl getting built with 11 modern Transport Layer Security (TLS) libraries
• Introducing the new API for OSI approved licenses - OSI has a new API for checking against approved open source licenses.
• What's new in Apache Iceberg 3.0 - The open data lakehouse keeps getting better with Iceberg v3. This article goes into the details and also takes a peak at what should be coming in v4.
• What would Kubernetes 2.0 look like? - Kubernetes is all over the tech world. So, what change to the defaults in K8s would keep it moving in that forward direction?
• Ubuntu 25.10 replaces sudo with a Rust based equivalent - While not quite at release yet, sudo-rs, a Rust based sudo replacement will soon be the norm on Ubuntu. Will other distros follow suit?

What exciting open source events and news are you hearing about? Let us know on our @GoogleOSS X account.