Secrets Sprawl 2025
Data analysis by GitGuardian
Leaked Today, Vulnerable Tomorrow
in 2024 GitGuardian scanned 69.6M public repositories of which at least 4.61% contained a secret.
commit authors leaked a secret
.svg)
pro-bono alert emails sent
of the secrets leaked in 2022 are still valid
Secret Leaks: Slow Fix, Big Risk
Over the past 10 years, the use of stolen credentials has appeared in 31% of all breaches.
Breaches involving stolen or compromised credentials take an average of 292 days to identify and remediate.
Secrets Sprawl Surges
New secrets detected on GitHub
Increase in leaked credentials from the previous year, indicating that secrets sprawl is worsening over time.
In 2024, we found 23,770,171 new hardcoded secrets added to public GitHub repositories. Secrets sprawl is steadily worsening over time.
Generic Secrets: A Growing Blind Spot
Secrets by detector nature
of all detected leaks are Generic credentials.
A sharp increase from 2023.
GitGuardian's latest AI features now uncover significantly more generic secrets, providing the most comprehensive and accurate view of secrets sprawl.
GitHub Push Protection: Not a Silver Bullet
GitHub’s Push Protection has its limitations. While it reduces leaks for some keys, it struggles with generic secrets—the fastest-growing category. These are harder to detect because they lack standardized patterns. Also many other keys, such as MySQL and MongoDB credentials, lack a standardized prefix and still evade GitHub's filter.
MySQL credentials were not impacted by GitHub Push Protection
MongoDB credentials were not impacted by GitHub Push Protection
Private Repositories: A False Sense of Security
Private vs Public repositories
of all customers’ private repositories scanned contained at least one plaintext secret.
Developers treat secrets in private repositories less cautiously than in public ones, assuming privacy equals security. Private repos are 9 times more likely to contain secrets, and become public due to misconfigurations or breaches. Organizations must enforce robust secrets management across all environments—not just public code.
Secrets Are Leaking Beyond Source Code
Incidents severity: SCM systems vs collaboration tools
of incidents in collaboration tools are classified as highly critical or urgent—a higher proportion than in code repositories.
Secrets are found leaking across various enterprise platforms. Slack, Jira, and Confluence leaks are widespread, yet often overlooked, as these collaboration tools lack built-in security safeguards.
Public Docker Images Are a Massive Attack Surface
Breakdown of valid secrets found in public Docker images
.svg)
Valid AWS keys remain exposed on Docker Hub.
GitGuardian’s largest-scale analysis of 15 million public Docker images uncovered 100,000 valid secrets, including AWS keys and GitHub tokens from Fortune 500 companies.
Even Secrets Managers Can’t Stop Secrets Sprawl
Public repos with and without secrets manager
of repositories using secrets managers still leaked secrets in 2024.
Top 3 Leaked Secrets:
AWS IAM
Slack webhooks
Azure AD API keys
Misconfigurations, improper access control, and insecure authentication practices continue to expose credentials. Secrets sprawl remains a problem even in organizations with dedicated secrets managers.
Leaked secrets stay active for years
When a secret leaks, remediation should be immediate. Yet, the data tells a different story.
of secrets leaked in 2022 are still valid today.
% of secrets still valid since exposure
Remediation is slow due to enforcement gaps & complex workflows. Secrets stay valid because organizations lack proper monitoring.
The Non-Human Identity Crisis
Machine-to-machine communications dominate modern software architecture, but security policies haven’t kept pace. Non-human identities (NHIs) outnumber human users in corporate environments, they are mostly long-lived credentials with little to no expiration. Without lifecycle management, these long-lived credentials create enduring security vulnerabilities.
AI Coding Assistants Are Exposing Your Secrets
Copilot enabled public repos leaking secrets
higher exposure rate than the average across all public repositories.
GitHub Copilot usage increased by 27% between 2023 and 2024.
GitGuardian found that public repositories using Copilot had a 6.4% secret leakage rate.
This suggests that while AI enhances productivity, it may also introduce security risks, reinforcing the need for strong secret detection controls.
Examples of Exposed Secrets in the Wild
Artifactory Token Exposures
Our case study reveals that Artifactory token leaks, while less common, pose a major supply chain risk. 60% of leaked tokens were in build configs, impacting production environments in critical sectors like pharma and energy.
AWS S3 Ransomware Attack
Attackers used valid AWS credentials to encrypt S3 buckets and demanded ransom for decryption. This shows how legitimate cloud features can be weaponized when secrets leak.
The Path Forward >>
How to Fight Secrets Sprawl
- Enforce semi-automated secret expiration & rotation
- Transition from static to dynamic secrets
- Implement least privilege access controls
- Enable cross-vault analytics for enhanced secrets management
- Prioritize both early detection and swift remediation
.svg)
GitGuardian leads the way in Non-Human Identity security, offering end-to-end solutions from secrets detection in code, productivity tools and environments to strong remediation, observability and proactive prevention of leaks.
.svg)
© %copyright-year% GitGuardian. All Rights Reserved.
