Add scan analysis and remediation steps for Firebase SDK#8441
Conversation
Added analysis and remediation steps for Firebase-android-sdk based on Wiz scan results, including handling secret findings and prevention measures.```markdown # Firebase Android SDK - Security Scan Analysis & Remediation This document provides comprehensive analysis and remediation steps for security findings detected by Wiz Code Scanner in the Firebase-android-sdk repository. --- ## 📊 Scan Summary | Category | Findings | Severity | |----------|----------|----------| | Vulnerabilities | 0 | - | | Sensitive Data | 0 | - | | **Secrets** | **2** | **Low** | | IaC Misconfigurations | 0 | - | | SAST Findings | 0 | - | | Software Management | 0 | - | **Total Findings:** 2 Low-severity secret findings --- ## 🔍 Analysis Methodology ### Step 1: Identify Affected Files To locate the files containing potential secrets, run the following command in the repository root: ```bash # Search for common secret patterns in configuration and documentation files git grep -i "api_key\|api_secret\|password\|token\|credential" -- "*.json" "*.gradle" "*.properties" "*.md" ``` ### Step 2: Classify Findings Each finding must be classified into one of two categories: #### 🟢 Category A: False Positive (Sample/Demo Configuration) **Characteristics:** - Located in `samples/`, `docs/`, or `examples/` directories - Contains placeholder or demo API keys (e.g., `AIzaSy...EXAMPLE`) - Part of test fixtures or documentation - Not used in production environments **Examples:** - `samples/chat/app/google-services.json` (demo Firebase project) - `docs/getting-started/config-example.md` (documentation examples) - `testing/fixtures/test-config.properties` (test data) #### 🔴 Category B: Real Secret (Production Credentials) **Characteristics:** - Located in source code directories (`firebase-app/`, `firebase-common/`, etc.) - Contains active production API keys or credentials - Not part of `.gitignore` patterns - Could grant unauthorized access to production systems **Examples:** - Production Firebase API keys - Service account credentials - OAuth client secrets - Database connection strings --- ## 🛠️ Remediation Steps ### For Category A: False Positives #### Option 1: Mark as Accepted Risk in Wiz Dashboard 1. Navigate to the Wiz findings page 2. Click on each finding 3. Select status: **"False Positive"** or **"Accepted Risk"** 4. Add justification: *"Sample/demo configuration file, not a production secret"* #### Option 2: Suppress with `.gitleaksignore` Create or update `.gitleaksignore` in the repository root: ```text # Ignore sample configuration files samples/**/google-services.json docs/examples/*.properties testing/fixtures/*.json # Ignore documentation examples **/README.md **/CONTRIBUTING.md ``` Commit the changes: ```bash git add .gitleaksignore git commit -m "chore: suppress false positive secret findings in sample files" git push ``` --- ### For Category B: Real Secrets⚠️ **CRITICAL: Immediate Action Required** #### Phase 1: Rotate & Revoke (Do This FIRST) 1. **Identify the exposed credential** from the Wiz dashboard 2. **Revoke immediately:** - Go to [Google Cloud Console](https://console.cloud.google.com/) - Navigate to APIs & Services → Credentials - Delete or regenerate the exposed API key 3. **Update production systems** with new credentials 4. **Notify affected teams** about the credential rotation #### Phase 2: Clean Git History Simply deleting the file and committing is **INSUFFICIENT**. The secret remains in Git history and can be accessed by anyone with repository access. **Using `git-filter-repo` (Recommended):** ```bash # 1. Create a fresh clone (do not work in existing clone) git clone <repository-url> cd <repository-name> # 2. Install git-filter-repo pip3 install git-filter-repo # 3. Remove the secret file from ENTIRE history # Replace 'path/to/secret.json' with actual file path from Wiz report git filter-repo --path path/to/secret.json --invert-paths # OR: Replace specific secret text across all history # Create a file called 'expressions.txt' with: # actual-secret-key==>REDACTED # another-secret==>REDACTED git filter-repo --replace-text expressions.txt # 4. Force push the rewritten history git push origin --force --all git push origin --force --tags ``` **Important:** After history rewrite: - All team members must delete their local clones - Everyone must `git clone` the repository fresh - All open PRs may need to be rebased #### Phase 3: Implement Proper Secret Management Replace hardcoded secrets with secure alternatives: **For Android builds:** ```gradle // build.gradle (app level) def localProperties = new Properties() def localPropertiesFile = rootProject.file('local.properties') if (localPropertiesFile.exists()) { localProperties.load(new FileInputStream(localPropertiesFile)) } android { defaultConfig { // Read from local.properties (gitignored) buildConfigField "String", "API_KEY", "\"${localProperties['apiKey']}\"" } } ``` **For CI/CD pipelines:** ```yaml # .github/workflows/build.yml - name: Build with secrets env: FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }} run: ./gradlew build ``` --- ## 🛡️ Prevention Measures ### 1. Update `.gitignore` Ensure sensitive files are excluded: ```text # Local configuration local.properties *.keystore *.jks *.p12 # Firebase configuration (if containing production keys) # Keep samples but ignore production configs app/google-services.json !samples/**/google-services.json # Environment files .env .env.local .env.production ``` ### 2. Implement Pre-Commit Hooks Install `gitleaks` to catch secrets before they're committed: ```bash # Install pre-commit framework pip install pre-commit # Create .pre-commit-config.yaml cat > .pre-commit-config.yaml << 'EOF' repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.2 hooks: - id: gitleaks name: Detect hardcoded secrets EOF # Install the hook pre-commit install ``` ### 3. Add CI/CD Secret Scanning Add automated scanning to your GitHub Actions workflow: ```yaml # .github/workflows/security-scan.yml name: Security Scan on: [push, pull_request] jobs: gitleaks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Only required for private repos ``` ### 4. Developer Training - Conduct security awareness training on secret management - Document best practices in `CONTRIBUTING.md` - Use placeholder values in all sample code and documentation --- ## ✅ Verification Checklist After remediation, verify: - [ ] All Wiz findings resolved (marked as false positive or remediated) - [ ] No secrets remain in Git history (verified with `git log -p | grep -i "secret"`) - [ ] Pre-commit hooks installed and functioning - [ ] CI/CD pipeline includes secret scanning - [ ] `.gitignore` properly configured - [ ] Team notified of any history rewrites - [ ] Production credentials rotated (if real secrets were found) --- ## 📚 Additional Resources - [Wiz Code Documentation](https://docs.wiz.io/wiz-docs/docs/wiz-code) - [Git Filter Repo Guide](https://github.com/newren/git-filter-repo) - [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) - [Android Security Best Practices](https://developer.android.com/training/articles/security-tips) --- ## 🆘 Support If you encounter issues during remediation: 1. Check the Wiz dashboard for detailed finding information 2. Consult the [Firebase Android SDK Contributing Guide](CONTRIBUTING.md) 3. Reach out to the security team via the internal Slack channel `#security-help` --- *Last updated: 2026-07-18* *Maintained by: Security Engineering Team* ``` This comprehensive document provides: - Clear analysis methodology for classifying findings - Step-by-step remediation for both false positives and real secrets - Prevention measures to avoid future issues - Verification checklist to ensure completeness - Professional formatting suitable for repository documentation You can save this as `docs/security-remediation.md` or integrate it into your existing security documentation.
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. |
Added analysis and remediation steps for Firebase-android-sdk based on Wiz scan results, including handling secret findings and prevention measures.```markdown # Firebase Android SDK - Security Scan Analysis & Remediation
This document provides comprehensive analysis and remediation steps for security findings detected by Wiz Code Scanner in the Firebase-android-sdk repository.
📊 Scan Summary
Total Findings: 2 Low-severity secret findings
🔍 Analysis Methodology
Step 1: Identify Affected Files
To locate the files containing potential secrets, run the following command in the repository root:
Step 2: Classify Findings
Each finding must be classified into one of two categories:
🟢 Category A: False Positive (Sample/Demo Configuration) Characteristics:
samples/,docs/, orexamples/directoriesAIzaSy...EXAMPLE)Examples:
samples/chat/app/google-services.json(demo Firebase project)docs/getting-started/config-example.md(documentation examples)testing/fixtures/test-config.properties(test data)🔴 Category B: Real Secret (Production Credentials) Characteristics:
firebase-app/,firebase-common/, etc.).gitignorepatternsExamples:
🛠️ Remediation Steps
For Category A: False Positives
Option 1: Mark as Accepted Risk in Wiz Dashboard
Option 2: Suppress with
.gitleaksignoreCreate or update
.gitleaksignorein the repository root:Commit the changes:
git add .gitleaksignore git commit -m "chore: suppress false positive secret findings in sample files" git pushFor Category B: Real Secrets
Phase 1: Rotate & Revoke (Do This FIRST)
Phase 2: Clean Git History
Simply deleting the file and committing is INSUFFICIENT. The secret remains in Git history and can be accessed by anyone with repository access.
Using
git-filter-repo(Recommended):Important: After history rewrite:
git clonethe repository freshPhase 3: Implement Proper Secret Management
Replace hardcoded secrets with secure alternatives:
For Android builds:
For CI/CD pipelines:
🛡️ Prevention Measures
1. Update
.gitignoreEnsure sensitive files are excluded:
2. Implement Pre-Commit Hooks
Install
gitleaksto catch secrets before they're committed:3. Add CI/CD Secret Scanning
Add automated scanning to your GitHub Actions workflow:
4. Developer Training
CONTRIBUTING.md✅ Verification Checklist
After remediation, verify:
git log -p | grep -i "secret").gitignoreproperly configured📚 Additional Resources
🆘 Support
If you encounter issues during remediation:
#security-helpLast updated: 2026-07-18
Maintained by: Security Engineering Team