False Positive, and the Email link doesn't work

[jaakidup]

There was just a false positive on one of my repos, where a Google APIKey is in the javascript. I tried clicking the false positive button on the email, but that didn't work... Google apiskeys embedded in javascript front-ends are available for the public to see in any-case as the JavaScript is run client side. :)

[ericfourrier]

Thanks for your feedback :). we will definitely look into it for the link for the false positive button.

For the secret detection part we are working on excluding Google API keys that are designed to be exposed publicly.

[ericfourrier]

Should be fixed right now thanks, closing the issue

[Johni0702]

@ericfourrier should both issues be fixed or just the button? I've also received a false positive for an OAuth 2.0 Client "Secret" (not sure if those are in some way different from other Google API keys) in an open source Java application just about 25 minutes ago.

[NoahRoseLedesma]

I also had this false positive. My API key is for javascript front end connected to firebase, which is intended to be public.

[Noah-Huppert]

Just got another false positive.

For your reference this is what the Firebase console tells you to put in your web-apps:

<script src="https://www.gstatic.com/firebasejs/5.10.0/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: "AIzaSyCmE__wXbMOsoM4_xey2a__Ikc589_jWCg",
    authDomain: "ollyg-game-deals.firebaseapp.com",
    databaseURL: "https://ollyg-game-deals.firebaseio.com",
    projectId: "ollyg-game-deals",
    storageBucket: "ollyg-game-deals.appspot.com",
    messagingSenderId: "887268788986"
  };
  firebase.initializeApp(config);
</script>

[nikita-fuchs]

I am still getting the false positive notification about allegedly exposed API keys, it's not critical though but necessary when using google firebase.