Comment by greatgib

"Google Cloud Platform (GCP) credentials were the most leaked secret type on GitLab repositories"

Not surprising, Google SDK are sucking so much in term of authentication. It's never something simple like an API key, always a shitty iam like opaque function based on an opaque sdk needing to be installed that in the end requires a huge json. And most of the time, it is a pain in the ass to provide the token "as-is" in a buffer but the sdk expects that you give a file path to it. So, I easily guess that a lot of lazy devs will just store the credential json file in their project and consider it a job done.