Add credential inventory, rotation runbook, and CI secret scanning

Author: agha64113-creator

.github/workflows/secret-scanning.yml

@@ -0,0 +1,33 @@
+name: Secret Scanning
+
+on:
+  pull_request:
+  push:
+    branches: [ main, master ]
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks against target files
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >-
+            detect
+            --config=.gitleaks.toml
+            --source=.
+            --redact
+            --verbose
+            --log-level=warn
+            --report-format=sarif
+            --report-path=gitleaks.sarif
+            --max-target-megabytes=20
+            --no-git
+            --path='**/*.env'

.gitleaks.toml

@@ -0,0 +1,26 @@
+title = "generative-ai secret scanning policy"
+
+[allowlist]
+description = "Allow placeholder values used in documentation and examples"
+paths = [
+  '''(?i).*README\.md$''',
+  '''(?i).*docs/.*\.md$''',
+  '''(?i).*\.ipynb$'''
+]
+regexes = [
+  '''(?i)your[_-]?(api|secret|token|key)''',
+  '''(?i)example[_-]?(api|secret|token|key)''',
+  '''(?i)changeme'''
+]
+
+[[rules]]
+id = "provider-api-keys"
+description = "Potential provider API keys and secrets"
+regex = '''(?i)(openai|gemini|google|drive|elevenlabs|deepgram|assemblyai|voice|tts|stt)[a-z0-9_\-]{0,30}(api[_-]?key|secret|token)["'=: ]+[A-Za-z0-9_\-]{16,}'''
+keywords = ["api_key", "secret", "token", "openai", "gemini", "google", "drive", "elevenlabs", "deepgram", "assemblyai"]
+
+[[rules]]
+id = "google-service-account-json"
+description = "Google service account key fields"
+regex = '''(?i)"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----'''
+keywords = ["private_key", "client_email", "service_account"]

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.2
+    hooks:
+      - id: gitleaks
+        args:
+          - --config=.gitleaks.toml
+          - --verbose
+        files: '(?i)(\.env($|\.)|\.json$|\.ipynb$|\.log$|\.out$)'

security/credential_inventory_and_rotation.md

@@ -0,0 +1,41 @@
+# Credential Inventory and Rotation Plan
+
+Date: 2026-05-19 (UTC)
+
+## 1) Inventory of credentials referenced by app modules
+
+| Service | Credential/env var | Example modules |
+|---|---|---|
+| Gemini / Google GenAI | `GOOGLE_API_KEY` | `gemini/mcp/mcp_orchestration_app/src/gemini_client.py`, `gemini/multimodal-live-api/project-livewire/server/config/config.py`, `gemini/sample-apps/gemini-streamlit-cloudrun/app.py` |
+| Gemini (legacy naming) | `GEMINI_API_KEY` | `gemini/sample-apps/gemini-quart-cloudrun/app/app.py`, `gemini/sample-apps/gemini-live-telephony-app/main.py` |
+| Google Cloud auth | `GOOGLE_APPLICATION_CREDENTIALS` | `gemini/sample-apps/swot-agent/agent.py`, `gemini/mcp/mcp_orchestration_app/example.env` |
+| Vertex toggle | `GOOGLE_GENAI_USE_VERTEXAI` | `gemini/multimodal-live-api/project-livewire/server/config/config.py`, `gemini/mcp/adk_mcp_app/README.md` |
+| Voice provider options | model voice config values (`VOICE_*`) | `gemini/multimodal-live-api/project-livewire/server/config/config.py` |
+
+No active OpenAI-specific, Google Drive-specific, or third-party voice API key variables (e.g., `OPENAI_API_KEY`, `DEEPGRAM_API_KEY`, `ELEVENLABS_API_KEY`, `ASSEMBLYAI_API_KEY`) were found in the scoped app modules during this pass.
+
+## 2) Rotation + revocation runbook (mandatory)
+
+Because this repository cannot revoke provider credentials directly, perform these steps immediately in provider consoles:
+
+1. Create replacement keys/service-account credentials for each live secret above.
+2. Update secret manager entries / CI env vars / runtime env vars.
+3. Redeploy every affected service.
+4. Validate smoke tests and auth paths.
+5. Revoke or disable previous keys immediately.
+
+## 3) Key restrictions and quota ceilings
+
+Apply for each provider where supported:
+- Restrict by application origin/domain for browser-exposed keys.
+- Restrict by source IP/CIDR for server-side keys.
+- Restrict by API scope/service.
+- Configure per-key quota ceilings and alerting.
+
+## 4) Validation checklist
+
+- [ ] New keys deployed to all environments.
+- [ ] Old keys revoked.
+- [ ] API calls succeed with new keys.
+- [ ] 401/403 checks confirm old keys invalid.
+- [ ] Budget/quota alerts configured.

security/incident-log-2026-05-19.md

@@ -0,0 +1,18 @@
+# Security Incident Log: Credential Rotation
+
+- Incident date: 2026-05-19 (UTC)
+- Trigger: Requested emergency credential hygiene hardening.
+
+## Affected services
+- Gemini / Google GenAI API-key consumers
+- Vertex/ADC service-account consumers
+
+## Rotation execution record
+- Rotation started: 2026-05-19T00:00:00Z (to be updated by operator)
+- Rotation completed: PENDING OPERATOR ACTION
+- Old key revocation completed: PENDING OPERATOR ACTION
+
+## Post-rotation validation
+- Secret scanning controls added in repo CI + pre-commit.
+- Provider-side live key rotation/revocation still required and must be executed in cloud/provider consoles.
+- Validation status after operator action: PENDING