False positive, Firebase API key

[19007361]

Hello, and thank you for the GitGuardian service that you provide, it is really useful.

I want to point out that you should not auto-detect a Firebase API key as "compromised" since this is not a private key but a public key that any entity should access in order to connect to the Firebase API that was set up. Authentication allows only some/all end-users to access/modify/validate certain parts of it, so the API key is not the one that should be guarded.
https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification

[jcubic]

Agree, Firebase in JavaScript are public keys, even that they look like private, everything what need to be in JS is public.

[fedorareis]

Per the documentation on Firebase Config files. API keys are considered unique but public information. https://firebase.google.com/docs/projects/learn-more#config-files-objects

[Unikore]

Just received an alert for the same thing, it's really a false positive.