{"id":13609783,"url":"https://github.com/google/secrets-gradle-plugin","last_synced_at":"2026-03-02T13:41:04.723Z","repository":{"id":40402368,"uuid":"333163297","full_name":"google/secrets-gradle-plugin","owner":"google","description":"A Gradle plugin for providing your secrets to your Android project.","archived":false,"fork":false,"pushed_at":"2024-08-27T16:49:11.000Z","size":222,"stargazers_count":1269,"open_issues_count":37,"forks_count":120,"subscribers_count":17,"default_branch":"main","last_synced_at":"2026-02-27T21:29:11.808Z","etag":null,"topics":["android","gradle-plugin","groovy","kotlin"],"latest_commit_sha":null,"homepage":"","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-26T17:32:16.000Z","updated_at":"2026-02-21T13:33:32.000Z","dependencies_parsed_at":"2024-08-01T19:43:33.615Z","dependency_job_id":"f41e4c38-95cf-4f9c-bc8a-6b11eee1f6f6","html_url":"https://github.com/google/secrets-gradle-plugin","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/google/secrets-gradle-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsecrets-gradle-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsecrets-gradle-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsecrets-gradle-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsecrets-gradle-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/secrets-gradle-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsecrets-gradle-plugin/sbom","scorecard":{"id":437873,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/secrets-gradle-plugin","commit":"5c3b339fe27d99da803b4a007086d4338139087c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.5,"checks":[{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: gradle/wrapper/gradle-wrapper.jar:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":1,"reason":"Found 4/21 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/google/secrets-gradle-plugin/test.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/release.yml:48","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:21"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Branch-Protection","score":1,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Warn: 'force pushes' enabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is required - but no codeowners file found in repo","Warn: 'last push approval' is disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T05:05:22.306Z","repository_id":40402368,"created_at":"2025-08-19T05:05:22.307Z","updated_at":"2025-08-19T05:05:22.307Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29954721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T22:53:01.873Z","status":"ssl_error","status_checked_at":"2026-02-28T22:52:50.699Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","gradle-plugin","groovy","kotlin"],"created_at":"2024-08-01T19:01:37.992Z","updated_at":"2026-03-02T13:41:04.703Z","avatar_url":"https://github.com/google.png","language":"Kotlin","funding_links":[],"categories":["Android","Kotlin"],"sub_categories":["Android libraries"],"readme":"# Secrets Gradle Plugin for Android\n![Tests](https://github.com/google/secrets-gradle-plugin/workflows/Tests/badge.svg)\n![Apache-2.0](https://img.shields.io/badge/license-Apache-blue)\n\nA Gradle plugin for providing your secrets securely to your Android project.\n\nThis Gradle plugin reads secrets from a properties file **not checked into version control**,\nsuch as `local.properties`, and expose those properties as variables in the Gradle-generated `BuildConfig`\nclass and in the Android manifest file.\n\n**DISCLAIMER:** This plugin is primarily for hiding your keys from version control. Since your key is part of the static binary, your API keys are still recoverable by decompiling an APK. So, securing your key using other measures like adding restrictions (if possible) are recommended.\n\n## Requirements\n* Gradle-based Android project\n* Android Gradle plugin 7.0.2\n\n## Installation\n\n**NOTE**: Starting from v1.1.0, the plugin ID was changed to \"com.google.android.libraries.mapsplatform.secrets-gradle-plugin\" and the plugin is now being distributed via Google Maven (gMaven).  You can still download previous versions of the plugin from Gradle's plugin portal, but new versions will now only be distributed through gMaven.\n\n1. In your project's root `build.gradle` file:\n\nGroovy:\n```groovy\nbuildscript {\n    dependencies {\n        classpath \"com.google.android.libraries.mapsplatform.secrets-gradle-plugin:secrets-gradle-plugin:2.0.1\"\n    }\n}\n```\n\nKotlin:\n```kotlin\nbuildscript {\n    dependencies {\n        classpath(\"com.google.android.libraries.mapsplatform.secrets-gradle-plugin:secrets-gradle-plugin:2.0.1\")\n    }\n}\n```\n\n2. In your app-level `build.gradle` file:\n\nGroovy:\n```groovy\nplugins {\n    id 'com.google.android.libraries.mapsplatform.secrets-gradle-plugin'\n}\n```\n\nKotlin:\n```groovy\nplugins {\n    id(\"com.google.android.libraries.mapsplatform.secrets-gradle-plugin\")\n}\n```\n\nThis plugin also supports library module type (`com.android.library`). Just install the plugin in your library-level `build.gradle` file and keys will be visible inside that module as well.\n\n### Snapshot Releases\n\nSnapshot releases, which are distributed via [GitHub Packages](https://github.com/orgs/google/packages?repo_name=secrets-gradle-plugin), are also available for latest fixes. To use a snapshot release, add the following repository to your project-level `build.gradle` file:\n\nGroovy:\n```groovy\nbuildscript {\n    repositories {\n        maven {\n            url = uri(\"https://maven.pkg.github.com/google/secrets-gradle-plugin\")\n            credentials {\n                username = project.findProperty(\"GITHUB_USER\") ?: System.getenv(\"GITHUB_USER\")\n                password = project.findProperty(\"GITHUB_TOKEN\") ?: System.getenv(\"GITHUB_TOKEN\")\n            }\n        }\n    }\n    dependencies {\n        classpath \"com.google.android.libraries.mapsplatform.secrets-gradle-plugin:secrets-gradle-plugin:\u003cversion\u003e-SNAPSHOT\"\n    }\n}\n```\n\nAlso, see [Authenticating to GitHub Packages](https://docs.github.com/en/packages/learn-github-packages/introduction-to-github-packages#authenticating-to-github-packages).\n\n\n## Example Usage\n\nExample contents of `local.properties` under your root project:\n```\napiKey=YOUR_API_KEY\n```\n\nAfter applying the plugin and building your project, the API key then becomes accessible in two ways.\n\n  1. As a `BuildConfig` value:\n  ```kotlin\n  val apiKey = BuildConfig.apiKey\n  ```\n  2. As a variable accessible in your `AndroidManifest.xml` file:\n  ```xml\n  \u003cmeta-data android:value=\"${apiKey}\" /\u003e\n  ```\n\n## CI/CD Systems\n\nFor CI/CD systems, consider creating and checking in version control a default properties file with all\nthe same keys required by your app but with _safe_ default values. To do this, create a properties file\nand set the `defaultPropertiesFileName` value to that file name. For example:\n\n```groovy\nsecrets {\n    defaultPropertiesFileName = 'local.defaults.properties'\n}\n```\n\n## Configuration Options\n\nThe plugin can optionally be configured:\n\n```groovy\nsecrets {\n    // Change the properties file from the default \"local.properties\" in your root project\n    // to another properties file in your root project.\n    propertiesFileName 'secrets.properties'\n\n    // A properties file containing default secret values. This file can be checked in version\n    // control.\n    defaultPropertiesFileName = 'secrets.defaults.properties'\n\n    // Configure which keys should be ignored by the plugin by providing regular expressions.\n    // \"sdk.dir\" is ignored by default.\n    ignoreList.add(\"keyToIgnore\") // Ignore the key \"keyToIgnore\"\n    ignoreList.add(\"sdk.*\")       // Ignore all keys matching the regexp \"sdk.*\"\n}\n```\n\n### Build-Variant Specific Properties\n\nTo set build-variant specific properties (build type or flavor), create a properties file at the\nroot directory of the project with the same name as the variant. For example, to set keys specific\nfor the `release` build type, create a new file called `release.properties` containing\nrelease-specific keys.\n\n## Contributing\n\nContributions to this library are always welcome and highly encouraged!\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for more \ninformation on how to get started.\n\n## License\nApache 2.0. See [LICENSE](LICENSE) for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fsecrets-gradle-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fsecrets-gradle-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fsecrets-gradle-plugin/lists"}