Skip to content

Add scan analysis and remediation steps for Firebase SDK#8441

Closed
Sazwanend wants to merge 1 commit into
firebase:mainfrom
Sazwanend:patch-15
Closed

Add scan analysis and remediation steps for Firebase SDK#8441
Sazwanend wants to merge 1 commit into
firebase:mainfrom
Sazwanend:patch-15

Conversation

@Sazwanend

Copy link
Copy Markdown

Added analysis and remediation steps for Firebase-android-sdk based on Wiz scan results, including handling secret findings and prevention measures.```markdown # Firebase Android SDK - Security Scan Analysis & Remediation

This document provides comprehensive analysis and remediation steps for security findings detected by Wiz Code Scanner in the Firebase-android-sdk repository.


📊 Scan Summary

Category Findings Severity
Vulnerabilities 0 -
Sensitive Data 0 -
Secrets 2 Low
IaC Misconfigurations 0 -
SAST Findings 0 -
Software Management 0 -

Total Findings: 2 Low-severity secret findings


🔍 Analysis Methodology

Step 1: Identify Affected Files

To locate the files containing potential secrets, run the following command in the repository root:

# Search for common secret patterns in configuration and documentation files
git grep -i "api_key\|api_secret\|password\|token\|credential" -- "*.json" "*.gradle" "*.properties" "*.md"

Step 2: Classify Findings

Each finding must be classified into one of two categories:

🟢 Category A: False Positive (Sample/Demo Configuration) Characteristics:

  • Located in samples/, docs/, or examples/ directories
  • Contains placeholder or demo API keys (e.g., AIzaSy...EXAMPLE)
  • Part of test fixtures or documentation
  • Not used in production environments

Examples:

  • samples/chat/app/google-services.json (demo Firebase project)
  • docs/getting-started/config-example.md (documentation examples)
  • testing/fixtures/test-config.properties (test data)

🔴 Category B: Real Secret (Production Credentials) Characteristics:

  • Located in source code directories (firebase-app/, firebase-common/, etc.)
  • Contains active production API keys or credentials
  • Not part of .gitignore patterns
  • Could grant unauthorized access to production systems

Examples:

  • Production Firebase API keys
  • Service account credentials
  • OAuth client secrets
  • Database connection strings

🛠️ Remediation Steps

For Category A: False Positives

Option 1: Mark as Accepted Risk in Wiz Dashboard

  1. Navigate to the Wiz findings page
  2. Click on each finding
  3. Select status: "False Positive" or "Accepted Risk"
  4. Add justification: "Sample/demo configuration file, not a production secret"

Option 2: Suppress with .gitleaksignore

Create or update .gitleaksignore in the repository root:

# Ignore sample configuration files
samples/**/google-services.json
docs/examples/*.properties
testing/fixtures/*.json

# Ignore documentation examples
**/README.md
**/CONTRIBUTING.md

Commit the changes:

git add .gitleaksignore
git commit -m "chore: suppress false positive secret findings in sample files"
git push

For Category B: Real Secrets

⚠️ CRITICAL: Immediate Action Required

Phase 1: Rotate & Revoke (Do This FIRST)

  1. Identify the exposed credential from the Wiz dashboard
  2. Revoke immediately:
    • Go to Google Cloud Console
    • Navigate to APIs & Services → Credentials
    • Delete or regenerate the exposed API key
  3. Update production systems with new credentials
  4. Notify affected teams about the credential rotation

Phase 2: Clean Git History

Simply deleting the file and committing is INSUFFICIENT. The secret remains in Git history and can be accessed by anyone with repository access.

Using git-filter-repo (Recommended):

# 1. Create a fresh clone (do not work in existing clone)
git clone <repository-url>
cd <repository-name>

# 2. Install git-filter-repo
pip3 install git-filter-repo

# 3. Remove the secret file from ENTIRE history
# Replace 'path/to/secret.json' with actual file path from Wiz report
git filter-repo --path path/to/secret.json --invert-paths

# OR: Replace specific secret text across all history
# Create a file called 'expressions.txt' with:
#   actual-secret-key==>REDACTED
#   another-secret==>REDACTED
git filter-repo --replace-text expressions.txt

# 4. Force push the rewritten history
git push origin --force --all
git push origin --force --tags

Important: After history rewrite:

  • All team members must delete their local clones
  • Everyone must git clone the repository fresh
  • All open PRs may need to be rebased

Phase 3: Implement Proper Secret Management

Replace hardcoded secrets with secure alternatives:

For Android builds:

// build.gradle (app level)
def localProperties = new Properties()
def localPropertiesFile = rootProject.file('local.properties')
if (localPropertiesFile.exists()) {
    localProperties.load(new FileInputStream(localPropertiesFile))
}

android {
    defaultConfig {
        // Read from local.properties (gitignored)
        buildConfigField "String", "API_KEY", "\"${localProperties['apiKey']}\""
    }
}

For CI/CD pipelines:

# .github/workflows/build.yml
- name: Build with secrets
  env:
    FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
  run: ./gradlew build

🛡️ Prevention Measures

1. Update .gitignore

Ensure sensitive files are excluded:

# Local configuration
local.properties
*.keystore
*.jks
*.p12

# Firebase configuration (if containing production keys)
# Keep samples but ignore production configs
app/google-services.json
!samples/**/google-services.json

# Environment files
.env
.env.local
.env.production

2. Implement Pre-Commit Hooks

Install gitleaks to catch secrets before they're committed:

# Install pre-commit framework
pip install pre-commit

# Create .pre-commit-config.yaml
cat > .pre-commit-config.yaml << 'EOF'
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.2
    hooks:
      - id: gitleaks
        name: Detect hardcoded secrets
EOF

# Install the hook
pre-commit install

3. Add CI/CD Secret Scanning

Add automated scanning to your GitHub Actions workflow:

# .github/workflows/security-scan.yml
name: Security Scan
on: [push, pull_request]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Only required for private repos

4. Developer Training

  • Conduct security awareness training on secret management
  • Document best practices in CONTRIBUTING.md
  • Use placeholder values in all sample code and documentation

✅ Verification Checklist

After remediation, verify:

  • All Wiz findings resolved (marked as false positive or remediated)
  • No secrets remain in Git history (verified with git log -p | grep -i "secret")
  • Pre-commit hooks installed and functioning
  • CI/CD pipeline includes secret scanning
  • .gitignore properly configured
  • Team notified of any history rewrites
  • Production credentials rotated (if real secrets were found)

📚 Additional Resources


🆘 Support

If you encounter issues during remediation:

  1. Check the Wiz dashboard for detailed finding information
  2. Consult the Firebase Android SDK Contributing Guide
  3. Reach out to the security team via the internal Slack channel #security-help

Last updated: 2026-07-18
Maintained by: Security Engineering Team


This comprehensive document provides:
- Clear analysis methodology for classifying findings
- Step-by-step remediation for both false positives and real secrets
- Prevention measures to avoid future issues
- Verification checklist to ensure completeness
- Professional formatting suitable for repository documentation

You can save this as `docs/security-remediation.md` or integrate it into your existing security documentation.

Added analysis and remediation steps for Firebase-android-sdk based on Wiz scan results, including handling secret findings and prevention measures.```markdown
# Firebase Android SDK - Security Scan Analysis & Remediation

This document provides comprehensive analysis and remediation steps for security findings detected by Wiz Code Scanner in the Firebase-android-sdk repository.

---

## 📊 Scan Summary

| Category | Findings | Severity |
|----------|----------|----------|
| Vulnerabilities | 0 | - |
| Sensitive Data | 0 | - |
| **Secrets** | **2** | **Low** |
| IaC Misconfigurations | 0 | - |
| SAST Findings | 0 | - |
| Software Management | 0 | - |

**Total Findings:** 2 Low-severity secret findings

---

## 🔍 Analysis Methodology

### Step 1: Identify Affected Files
To locate the files containing potential secrets, run the following command in the repository root:

```bash
# Search for common secret patterns in configuration and documentation files
git grep -i "api_key\|api_secret\|password\|token\|credential" -- "*.json" "*.gradle" "*.properties" "*.md"
```

### Step 2: Classify Findings
Each finding must be classified into one of two categories:

#### 🟢 Category A: False Positive (Sample/Demo Configuration)
**Characteristics:**
- Located in `samples/`, `docs/`, or `examples/` directories
- Contains placeholder or demo API keys (e.g., `AIzaSy...EXAMPLE`)
- Part of test fixtures or documentation
- Not used in production environments

**Examples:**
- `samples/chat/app/google-services.json` (demo Firebase project)
- `docs/getting-started/config-example.md` (documentation examples)
- `testing/fixtures/test-config.properties` (test data)

#### 🔴 Category B: Real Secret (Production Credentials)
**Characteristics:**
- Located in source code directories (`firebase-app/`, `firebase-common/`, etc.)
- Contains active production API keys or credentials
- Not part of `.gitignore` patterns
- Could grant unauthorized access to production systems

**Examples:**
- Production Firebase API keys
- Service account credentials
- OAuth client secrets
- Database connection strings

---

## 🛠️ Remediation Steps

### For Category A: False Positives

#### Option 1: Mark as Accepted Risk in Wiz Dashboard
1. Navigate to the Wiz findings page
2. Click on each finding
3. Select status: **"False Positive"** or **"Accepted Risk"**
4. Add justification: *"Sample/demo configuration file, not a production secret"*

#### Option 2: Suppress with `.gitleaksignore`
Create or update `.gitleaksignore` in the repository root:

```text
# Ignore sample configuration files
samples/**/google-services.json
docs/examples/*.properties
testing/fixtures/*.json

# Ignore documentation examples
**/README.md
**/CONTRIBUTING.md
```

Commit the changes:
```bash
git add .gitleaksignore
git commit -m "chore: suppress false positive secret findings in sample files"
git push
```

---

### For Category B: Real Secrets

⚠️ **CRITICAL: Immediate Action Required**

#### Phase 1: Rotate & Revoke (Do This FIRST)
1. **Identify the exposed credential** from the Wiz dashboard
2. **Revoke immediately:**
   - Go to [Google Cloud Console](https://console.cloud.google.com/)
   - Navigate to APIs & Services → Credentials
   - Delete or regenerate the exposed API key
3. **Update production systems** with new credentials
4. **Notify affected teams** about the credential rotation

#### Phase 2: Clean Git History
Simply deleting the file and committing is **INSUFFICIENT**. The secret remains in Git history and can be accessed by anyone with repository access.

**Using `git-filter-repo` (Recommended):**

```bash
# 1. Create a fresh clone (do not work in existing clone)
git clone <repository-url>
cd <repository-name>

# 2. Install git-filter-repo
pip3 install git-filter-repo

# 3. Remove the secret file from ENTIRE history
# Replace 'path/to/secret.json' with actual file path from Wiz report
git filter-repo --path path/to/secret.json --invert-paths

# OR: Replace specific secret text across all history
# Create a file called 'expressions.txt' with:
#   actual-secret-key==>REDACTED
#   another-secret==>REDACTED
git filter-repo --replace-text expressions.txt

# 4. Force push the rewritten history
git push origin --force --all
git push origin --force --tags
```

**Important:** After history rewrite:
- All team members must delete their local clones
- Everyone must `git clone` the repository fresh
- All open PRs may need to be rebased

#### Phase 3: Implement Proper Secret Management
Replace hardcoded secrets with secure alternatives:

**For Android builds:**
```gradle
// build.gradle (app level)
def localProperties = new Properties()
def localPropertiesFile = rootProject.file('local.properties')
if (localPropertiesFile.exists()) {
    localProperties.load(new FileInputStream(localPropertiesFile))
}

android {
    defaultConfig {
        // Read from local.properties (gitignored)
        buildConfigField "String", "API_KEY", "\"${localProperties['apiKey']}\""
    }
}
```

**For CI/CD pipelines:**
```yaml
# .github/workflows/build.yml
- name: Build with secrets
  env:
    FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }}
  run: ./gradlew build
```

---

## 🛡️ Prevention Measures

### 1. Update `.gitignore`
Ensure sensitive files are excluded:

```text
# Local configuration
local.properties
*.keystore
*.jks
*.p12

# Firebase configuration (if containing production keys)
# Keep samples but ignore production configs
app/google-services.json
!samples/**/google-services.json

# Environment files
.env
.env.local
.env.production
```

### 2. Implement Pre-Commit Hooks
Install `gitleaks` to catch secrets before they're committed:

```bash
# Install pre-commit framework
pip install pre-commit

# Create .pre-commit-config.yaml
cat > .pre-commit-config.yaml << 'EOF'
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.2
    hooks:
      - id: gitleaks
        name: Detect hardcoded secrets
EOF

# Install the hook
pre-commit install
```

### 3. Add CI/CD Secret Scanning
Add automated scanning to your GitHub Actions workflow:

```yaml
# .github/workflows/security-scan.yml
name: Security Scan
on: [push, pull_request]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Only required for private repos
```

### 4. Developer Training
- Conduct security awareness training on secret management
- Document best practices in `CONTRIBUTING.md`
- Use placeholder values in all sample code and documentation

---

## ✅ Verification Checklist

After remediation, verify:

- [ ] All Wiz findings resolved (marked as false positive or remediated)
- [ ] No secrets remain in Git history (verified with `git log -p | grep -i "secret"`)
- [ ] Pre-commit hooks installed and functioning
- [ ] CI/CD pipeline includes secret scanning
- [ ] `.gitignore` properly configured
- [ ] Team notified of any history rewrites
- [ ] Production credentials rotated (if real secrets were found)

---

## 📚 Additional Resources

- [Wiz Code Documentation](https://docs.wiz.io/wiz-docs/docs/wiz-code)
- [Git Filter Repo Guide](https://github.com/newren/git-filter-repo)
- [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning)
- [Android Security Best Practices](https://developer.android.com/training/articles/security-tips)

---

## 🆘 Support

If you encounter issues during remediation:
1. Check the Wiz dashboard for detailed finding information
2. Consult the [Firebase Android SDK Contributing Guide](CONTRIBUTING.md)
3. Reach out to the security team via the internal Slack channel `#security-help`

---

*Last updated: 2026-07-18*  
*Maintained by: Security Engineering Team*
```

This comprehensive document provides:
- Clear analysis methodology for classifying findings
- Step-by-step remediation for both false positives and real secrets
- Prevention measures to avoid future issues
- Verification checklist to ensure completeness
- Professional formatting suitable for repository documentation

You can save this as `docs/security-remediation.md` or integrate it into your existing security documentation.
@gemini-code-assist

Copy link
Copy Markdown
Contributor
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

@rlazo rlazo closed this Jul 18, 2026
@firebase firebase locked as spam and limited conversation to collaborators Jul 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants