PkgRadar

Go modules · proxy.golang.org

github.com/leg100/ots

Credential file access: matched "GOOGLE_APPLICATION_CREDENTIALS"

Why PkgRadar flagged v0.6.4-0.20260611175813-5926849db194

SeveritySignalEvidence
mediumCredential file accessmatched "GOOGLE_APPLICATION_CREDENTIALS" · github.com/leg100/[email protected]/internal/dynamiccreds/gcp.go

Scanned versions

VersionVerdictScoreScanned (UTC)
v0.6.4-0.20260611175813-5926849db194Review102026-06-17
v0.6.3Review102026-06-17
v0.6.3-0.20260608125234-5c6fb5f8fff7Review102026-06-10
v0.6.2Review102026-06-10
v0.6.2-0.20260603175404-941a12b415f5Review102026-06-04
v0.6.1Review102026-06-04
v0.6.1-0.20260528205456-ffbb960a6569Review102026-06-04
v0.6.0Review102026-06-04

Block this in CI

PkgRadar gates github.com/leg100/ots (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/leg100/[email protected]
Start free — 25 scans / moView full evidence
github.com/leg100/ots — Go modules security scan | PkgRadar